investigate RCE impact zero day Log4j

javabeanz commented 2 years ago

https://www.lunasec.io/docs/blog/log4j-zero-day/

augustd commented 2 years ago

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

Upgraded Log4J version to 2.15.0 in #67. Working on a new release to get this into maven but having trouble with jqassistant:

 [ERROR] Failed to execute goal com.buschmais.jqassistant:jqassistant-maven-plugin:1.11.1:scan (default-cli) on 
project security-logging: Execution default-cli of goal com.buschmais.jqassistant:jqassistant-maven-
plugin:1.11.1:scan failed: Error starting org.neo4j.graphdb.facade.GraphDatabaseFacadeFactory, 
/Users/august/Dev/owasp-security-logging/target/jqassistant: Component 
'org.neo4j.kernel.NeoStoreDataSource@1ac71b87' was successfully initialized, but failed to start. Please see the 
attached cause exception "Unable to make field private java.lang.String java.lang.Throwable.detailMessage 
accessible: module java.base does not "opens java.lang" to unnamed module @2e45a357". Could not get 
Throwable message field -> [Help 1]

@javabeanz Any idea?

javabeanz commented 2 years ago

tried changing order of libs ? with dyn. classloading, assertions, and modules things can get hairy fast.

augustd commented 2 years ago

Looks like jqassistant uses the older version of Neo4J:

[INFO] Plugin Resolved: jqassistant-maven-plugin-1.11.1.jar
[INFO]     Plugin Dependency Resolved: shared-1.11.1.jar
...
[INFO]     Plugin Dependency Resolved: neo4jv3-1.11.1.jar
[INFO]     Plugin Dependency Resolved: neo4j-3.5.29.jar

Which has some illegal accesses, which (I'm guessing) threw warnings back in 2018, but won't work at all in newer versions of Java.

javabeanz commented 2 years ago

version 1.1.7 adresses CVE-2021-44228 - is thins one issue solved then ?

augustd commented 2 years ago

Yes, this is resolved in 1.1.7

augustd / owasp-security-logging

investigate RCE impact zero day Log4j #65