Closed l00zak closed 2 years ago
Yes, there's a transitive dependency on log4j 1.2.17 via ESAPI, but the ESAPI team has done a thorough analysis of all the Log4J 1 related vulnerabilities and ESAPI does not expose users to any them with its standard configuration (which is to use ConsoleAppender
, although any of the FileAppender
s should be fine as well). The ESAPI team has written up specific Security Bulletins discussing these. As long as you are not using something like JMSAppender
or SMTPAppender
or another of the vulnerable classes in your log4j.xml file, you should be fine.
I can point out the specific links to the Security Bulletins latter if you would like me to, but don't have time at the moment. There are about 6 of them.
-kevin wall, ESAPI project co-lead
Thanks for quick answer Kevin! Found your statement about patching in ESAPI https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1 As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.
Our deprecation policy is next major release (which would be 3.x) OR at least 2 years until after the first deprecation announcement. That 2 years will be up on 7/13/2022 so we plan to do a release without Log4J 1 dependency shortly thereafter.
On Tue, May 3, 2022, 1:00 PM l00zak @.***> wrote:
Thanks for quick answer Kevin! Found your statement about patching in ESAPI
https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1 As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.
— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/60#issuecomment-1116333585, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGYXAJP4FVVTW7V5HB3VIFLTZANCNFSM5U6MHKOA . You are receiving this because you commented.Message ID: @.***>
-kevin
Apologies if this is hard to read. I copied it from an email that I shared with GitHub Security Lab and I thought @l00zak might find it helpful. I think the copy/paste stripped out the tabs and changed them to spaces.
Anyway, here's a complete list of the Log4J 1 related vulnerabilities that are associated with all the ESAPI releases that get flagged because of ESAPI's direct dependency on log4j-1.2.17.jar. I have written up ESAPI security bulletins for each of these and provided links for each.
CVE-2019-17571 SocketServer https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf CVE-2020-9488 SMTPAppender https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin4.pdf CVE-2021-4104 JMSAppender https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin6.pdf CVE-2022-23305 JDBCAppender https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin7.pdf CVE-2022-23302 JMSSink https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin9.pdf CVE-2022-23307 Chainsaw https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin10.pdf
Note that this last one, Apache Chainsaw, is now a separate library (it's a standalone GUI program to display log files), but it originally was included with the Log4J 1 jar and wasn't split out separately until Log4J 2.
-kevin
You could not be more clear Kevin! Thanks for clarification :)
FYI - Related to this closed issue, the ESAPI team is currently working on releasing 2.5.0.0, which will remove ALL Log4J 1 dependencies. As of 7/13/2022, Log4J 1 will have been officially deprecated for 2 years, which we only kept that long because of our deprecation policy. But once 2.5.0.0 is released (I'm working on release notes now), all known CVEs should be dealt with, but to get the benefit, the Java Encoder project (well, the 'ESAPI Thunk' part that builds the 'encoder-esapi' jar) will have to update to ESAPI 2.5.0.0. I'm hoping to have that out RSN.
It looks like it have some vulnerable log4j 1.2.17 dependency. Have you consider update to 2.17.2?
output from mvn dependency:tree command below