DynamoDBLocal uses old log4j w/ CVE-2017-5645

[efenderbosch]

I'm not sure where to submit this, since it seems like the DynamoDBLocal doesn't have its own repository.

https://nvd.nist.gov/vuln/detail/CVE-2017-5645

Simply updating to version 2.8.2 should fix the issue.

        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.8.2</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.8.2</version>
        </dependency>

Current workaround is to exclude transitively included log4j and override to 2.8.8:

        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.8.2</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.8.2</version>
        </dependency>
        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>DynamoDBLocal</artifactId>
            <version>[1.11,2.0)</version>
            <exclusions>
                <exclusion>
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
                <exclusion>
                    <!-- exclude v2.6.2 for CVE CVE-2017-5645 -->
                    <groupId>org.apache.logging.log4j</groupId>
                    <artifactId>log4j-core</artifactId>
                </exclusion>
                <exclusion>
                    <!-- exclude v2.6.2 for CVE CVE-2017-5645 -->
                    <groupId>org.apache.logging.log4j</groupId>
                    <artifactId>log4j-api</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

[kiiadi]

@efenderbosch what's the actual issue you're seeing? It's not clear from the description.

DynamoDB Local isn't actually part of the Java SDK. I can try and help you find the right place once I'm more clear what the issue is. Alternatively - you may have better luck posting this question on StackOverflow with the amazon-dynamodb tag.

[efenderbosch]

It isn't part of the Java SDK, but it is mentioned in the official documentation here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.html

And it is a Java based project. I couldn't find the actual project so thought this would be a good place to start. I thought it might be over in https://github.com/awslabs but no such luck.

The issue is that we run the OWASP Dependency Check on our builds and it is flagging that

    <dependency>
        <groupId>com.amazonaws</groupId>
        <artifactId>DynamoDBLocal</artifactId>
        <version>[1.11,2.0)</version>
    </dependency>

transitively includes org.apache.logging.log4j:log4j-api:2.6.2 which has the CVE I linked above.

Granted, DynamoDBLocal is a testing library, but the vulnerability allows arbitrary code execution and can be easily fixed by updating org.apache.logging.log4j dependencies to 2.8.2.

Someone at AWS produced this library, the LICENSE.txt embedded in the JAR contains "THIS IS AN AGREEMENT BETWEEN YOU AND AMAZON WEB SERVICES..."

[amcp]

@efenderbosch Taking a look.

[kiiadi]

@efenderbosch this has been picked up by the DynamoDBLocal team. I'm going to close this issue for now since this isn't an issue with the Java SDK. @amcp will come back on this when they have a fix.

[dsilvasc]

@amcp was there a fix published?

[Dretch]

It looks like this is still an issue with the latest DynamoDBLocal version 1.13.2.

[debora-ito]

This was fixed in DynamoDBLocal version 1.13.5, the log4j-api version was upgraded to 2.13.13.