search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
483 stars 112 forks source link

log4j 1.2.17 dependency #60

Closed l00zak closed 2 years ago

l00zak commented 2 years ago

It looks like it have some vulnerable log4j 1.2.17 dependency. Have you consider update to 2.17.2?

output from mvn dependency:tree command below

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ encoder-esapi ---
[INFO] org.owasp.encoder:encoder-esapi:jar:1.2.3
[INFO] +- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] +- org.owasp.esapi:esapi:jar:2.4.0.0:compile
[INFO] | +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | - commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] | +- log4j:log4j:jar:1.2.17:compile
[INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] | +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.6.8:compile
[INFO] | | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile
[INFO] | | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
[INFO] | | | +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
[INFO] | | | - commons-codec:commons-codec:jar:1.15:compile
[INFO] | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.3:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | | - org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | | - org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | | +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] | | - xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | - commons-io:commons-io:jar:2.11.0:compile
[INFO] - junit:junit:jar:3.8.2:test

kwwall commented 2 years ago

Yes, there's a transitive dependency on log4j 1.2.17 via ESAPI, but the ESAPI team has done a thorough analysis of all the Log4J 1 related vulnerabilities and ESAPI does not expose users to any them with its standard configuration (which is to use ConsoleAppender, although any of the FileAppenders should be fine as well). The ESAPI team has written up specific Security Bulletins discussing these. As long as you are not using something like JMSAppender or SMTPAppender or another of the vulnerable classes in your log4j.xml file, you should be fine.

I can point out the specific links to the Security Bulletins latter if you would like me to, but don't have time at the moment. There are about 6 of them.

-kevin wall, ESAPI project co-lead

l00zak commented 2 years ago

Thanks for quick answer Kevin! Found your statement about patching in ESAPI https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1 As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.

kwwall commented 2 years ago

Our deprecation policy is next major release (which would be 3.x) OR at least 2 years until after the first deprecation announcement. That 2 years will be up on 7/13/2022 so we plan to do a release without Log4J 1 dependency shortly thereafter.

On Tue, May 3, 2022, 1:00 PM l00zak @.***> wrote:

Thanks for quick answer Kevin! Found your statement about patching in ESAPI

https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1 As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/60#issuecomment-1116333585, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGYXAJP4FVVTW7V5HB3VIFLTZANCNFSM5U6MHKOA . You are receiving this because you commented.Message ID: @.***>

-kevin

kwwall commented 2 years ago

Apologies if this is hard to read. I copied it from an email that I shared with GitHub Security Lab and I thought @l00zak might find it helpful. I think the copy/paste stripped out the tabs and changed them to spaces.

Anyway, here's a complete list of the Log4J 1 related vulnerabilities that are associated with all the ESAPI releases that get flagged because of ESAPI's direct dependency on log4j-1.2.17.jar. I have written up ESAPI security bulletins for each of these and provided links for each.

Assigned CVE Vuln Component ESAPI Security Bulletin

CVE-2019-17571 SocketServer https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf CVE-2020-9488 SMTPAppender https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin4.pdf CVE-2021-4104 JMSAppender https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin6.pdf CVE-2022-23305 JDBCAppender https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin7.pdf CVE-2022-23302 JMSSink https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin9.pdf CVE-2022-23307 Chainsaw https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin10.pdf

Note that this last one, Apache Chainsaw, is now a separate library (it's a standalone GUI program to display log files), but it originally was included with the Log4J 1 jar and wasn't split out separately until Log4J 2.

-kevin

l00zak commented 2 years ago

You could not be more clear Kevin! Thanks for clarification :)

kwwall commented 2 years ago

FYI - Related to this closed issue, the ESAPI team is currently working on releasing 2.5.0.0, which will remove ALL Log4J 1 dependencies. As of 7/13/2022, Log4J 1 will have been officially deprecated for 2 years, which we only kept that long because of our deprecation policy. But once 2.5.0.0 is released (I'm working on release notes now), all known CVEs should be dealt with, but to get the benefit, the Java Encoder project (well, the 'ESAPI Thunk' part that builds the 'encoder-esapi' jar) will have to update to ESAPI 2.5.0.0. I'm hoping to have that out RSN.