apache / incubator-seata

:fire: Seata is an easy-to-use, high-performance, open source distributed transaction solution.
https://seata.apache.org/
Apache License 2.0
25.39k stars 8.79k forks source link

[Announce] Log4j CVE-2021-44228 安全漏洞影响说明 #4203

Open slievrly opened 2 years ago

slievrly commented 2 years ago

CVE-2021-44228 Announce

Recently, the mainstream log framework log4j2 was reported with a severe security vulnerability CVE-2021-44228.

The following is a summary of the impact of this vulnerability CVE-2021-44228 on the Seata.

Potential Influence on Seata

CVE-2021-44228 has NO security impact on use of Seata.

log4j-core dependency are not referenced directly or indirectly in the Seata project So you don't need to upgrade the version of Seata for security reasons.

Seata currently contains 82 modules. The following is the dependency analysis of Seata modules on log4j2.

mvn cmd:

mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j

seata-console transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue.In addition,'seata-console' is a newly added module that has not yet been released.

 [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ seata-console ---
 [INFO] io.seata:seata-console:jar:1.5.0-SNAPSHOT
 [INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.10.RELEASE:compile
 [INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.3.10.RELEASE:compile
 [INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.10.RELEASE:compile
 [INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
 [INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
carllhw commented 2 years ago

依赖分析确实没有,但是docker镜像里有log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:1.4.2
/seata-server # ls -l /seata-server/libs/ | grep log4j
-rw-r--r--    1 root     root        489884 Jan  1  1970 log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:latest
# ls -l /seata-server/libs/ | grep log4j
-rw-r--r-- 1 root root  489884 Jan  1  1970 log4j-1.2.17.jar
-rw-r--r-- 1 root root  292301 Jan  1  1970 log4j-api-2.13.3.jar
-rw-r--r-- 1 root root   17461 Jan  1  1970 log4j-to-slf4j-2.13.3.jar
funky-eyes commented 2 years ago

依赖分析确实没有,但是docker镜像里有log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:1.4.2
/seata-server # ls -l /seata-server/libs/ | grep log4j
-rw-r--r--    1 root     root        489884 Jan  1  1970 log4j-1.2.17.jar

~ docker run -ti --rm --entrypoint sh seataio/seata-server:latest
# ls -l /seata-server/libs/ | grep log4j
-rw-r--r-- 1 root root  489884 Jan  1  1970 log4j-1.2.17.jar
-rw-r--r-- 1 root root  292301 Jan  1  1970 log4j-api-2.13.3.jar
-rw-r--r-- 1 root root   17461 Jan  1  1970 log4j-to-slf4j-2.13.3.jar

漏洞属于2不是1

carllhw commented 2 years ago

https://logging.apache.org/log4j/1.2/index.html

Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.

CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.

CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.

funky-eyes commented 2 years ago

https://logging.apache.org/log4j/1.2/index.html

Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.

CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.

CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.

CVE-2021-44228

carllhw commented 2 years ago

已提一个新的issue https://github.com/seata/seata/issues/4404

sheng895 commented 1 year ago

存在高危的安全漏洞Apache Kafka Connect 远程代码执行漏洞 (CVE-2023-25194)

868e3aafdda99e649a9dd7bb4a03808