Please support remediation of CVE-2021-4104 by removing JMSAppender.class as well

[ericchiang]

Is the JMSAppender.class still vulnerable without the JndiLookup.class?

https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

[jshomphe]

QualysGuard appears to think it is :). I havent looked in to the codepath, but a large number of 3rd party scanners are checking for specific class names in jar files to detect the issue.

On Tue, Jan 4, 2022 at 3:38 PM Eric Chiang @.***> wrote:

Is the JMSAppender.class still vulnerable without the JndiLookup.class?

apache/logging-log4j2#608 (comment) https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

— Reply to this email directly, view it on GitHub https://github.com/google/log4jscanner/issues/37#issuecomment-1005254092, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJGNKO54OEQU4QXIS3NJMDUUOAHFANCNFSM5LISXQHA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

[ericchiang]

Yeah, it looks like this was the recommended remediation by a couple vendors. Thanks for bringing this up :)

https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-some-features-ibm%C2%AE-db2%C2%AE-cve-2021-4104

Adding one of the jars from https://repo1.maven.org/maven2/log4j/log4j/1.2.17/ to our test data, it looks like we wouldn't find it as vulnerable, so it'd need different matching logic.

cc @ddworken

[ddworken]

Thank you for the feature request, but after discussing this we believe that this is out-of-scope for this tool. The goal of this tool is specifically to detect the critical RCE vulnerabilities affecting log4j 2.x that are broadly exploitable, and thus need to be urgently patched. CVE-2021-4104 only applies if an attacker has control over the log4j config, which I believe is not true in most cases. And it is even more unlikely that a completely unprivileged attacker would have this level of access. So while CVE-2021-4104 is an important vulnerability to patch, I don't think it is critical in that same way CVE-2021-44228 is.

If you need a general tool to search for vulnerable dependencies, I'd recommend investing in other solutions that check all dependencies, not just log4j dependencies. Though if you need this specific feature for your own use, you can of course always fork it to add it yourself, it shouldn't be too hard to add the relevant logic to jar.go and rewrite.go.