Open slievrly opened 2 years ago
依赖分析确实没有,但是docker镜像里有log4j-1.2.17.jar
~ docker run -ti --rm --entrypoint sh seataio/seata-server:1.4.2
/seata-server # ls -l /seata-server/libs/ | grep log4j
-rw-r--r-- 1 root root 489884 Jan 1 1970 log4j-1.2.17.jar
~ docker run -ti --rm --entrypoint sh seataio/seata-server:latest
# ls -l /seata-server/libs/ | grep log4j
-rw-r--r-- 1 root root 489884 Jan 1 1970 log4j-1.2.17.jar
-rw-r--r-- 1 root root 292301 Jan 1 1970 log4j-api-2.13.3.jar
-rw-r--r-- 1 root root 17461 Jan 1 1970 log4j-to-slf4j-2.13.3.jar
依赖分析确实没有,但是docker镜像里有log4j-1.2.17.jar
~ docker run -ti --rm --entrypoint sh seataio/seata-server:1.4.2 /seata-server # ls -l /seata-server/libs/ | grep log4j -rw-r--r-- 1 root root 489884 Jan 1 1970 log4j-1.2.17.jar ~ docker run -ti --rm --entrypoint sh seataio/seata-server:latest # ls -l /seata-server/libs/ | grep log4j -rw-r--r-- 1 root root 489884 Jan 1 1970 log4j-1.2.17.jar -rw-r--r-- 1 root root 292301 Jan 1 1970 log4j-api-2.13.3.jar -rw-r--r-- 1 root root 17461 Jan 1 1970 log4j-to-slf4j-2.13.3.jar
漏洞属于2不是1
https://logging.apache.org/log4j/1.2/index.html
Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.
CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.
CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.
CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.
CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.
CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.
https://logging.apache.org/log4j/1.2/index.html
Since Log4j 1 is no longer maintained none of the issues listed will be fixed. Users are urged to upgrade to Log4j 2. More issues will be added to this list as they are reported.
CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited.
CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.
CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.
CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.
CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.
CVE-2021-44228
已提一个新的issue https://github.com/seata/seata/issues/4404
存在高危的安全漏洞Apache Kafka Connect 远程代码执行漏洞 (CVE-2023-25194)
CVE-2021-44228 Announce
Recently, the mainstream log framework log4j2 was reported with a severe security vulnerability CVE-2021-44228.
The following is a summary of the impact of this vulnerability CVE-2021-44228 on the Seata.
Potential Influence on Seata
CVE-2021-44228 has NO security impact on use of Seata.
log4j-core
dependency are not referenced directly or indirectly in the Seata project So you don't need to upgrade the version of Seata for security reasons.Seata currently contains 82 modules. The following is the dependency analysis of Seata modules on log4j2.
mvn cmd:
mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j
seata-console
transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue.In addition,'seata-console' is a newly added module that has not yet been released.seata-server
transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue.seata-distribution
通过 spring-boot web 组件传递了 log4j-api 依赖,log4j-api 本身并无安全问题apm-seata-skywalking-plugin
transfers log4j-api dependency through spring-boot web. log4j-api itself has no security issue.In addition to the modules shown above, other modules don't depend on
org.apache.logging.log4j
. Meanwhile, we have analyzed seata-samples and found no dependency onlog4j-core
, so the security vulnerability does not affect seata-samples. Finally, the Seata community urges people not to exploit security vulnerabilities, to report undiscovered security vulnerabilities, and not to discuss them publicly.CVE-2021-44228 漏洞说明
最近,主流日志组件 log4j2 爆出安全漏洞 CVE-2021-44228。
以下是漏洞 CVE-2021-44228 对 Seata 的影响说明。
Seata 影响范围
CVE-2021-44228 该漏洞并未对 Seata 造成安全影响。
Seata 的项目中并未直接或间接依赖
log4j-core
, 所以你不需要因为安全性问题而升级Seata的版本。Seata 共包含82个模块。以下是 Seata 模块对 log4j2 的依赖分析:
mvn 命令:
mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j
seata-console
通过 spring-boot 组件传递了 log4j-api 依赖,log4j-api 本身并无安全问题。另外,seata-console
是一个最新添加尚未发布的模块。seata-server
通过 spring-boot 组件传递了 log4j-api 依赖,log4j-api 本身并无安全问题seata-distribution
通过 spring-boot web 组件传递了 log4j-api 依赖,log4j-api 本身并无安全问题apm-seata-skywalking-plugin
transfers log4j-api dependency through spring-boot web. log4j-api itself has no security issue.除了上述模块,其他模块也是没有依赖 org.apache.logging.log4j。 同时,我们对 seata-samples 进行了分析,未发现依赖
log4j-core
,因此这个安全漏洞不影响seata-samples
. 最后,Seata 社区希望大家不要利用安全漏洞信息,及时上报未发现的安全漏洞,不要在公开场合讨论它们。