Plans to fix CVE-2023-6378 in 1.2?

[christopher-cudennec]

Hi Logback team / @ceki ! 👋

We still work with Dropwizard 2.1 which still relies on Logback 1.2. Do you have any plans to backport your fix to prevent the DOS attack that is already applied to the 1.3 and 1.4 branches? That would be greatly appreciated! 🌻

Cheers,

Christopher

[debugmaster]

Spring Boot 2.7.x is also using Logback 1.2, and they are explictly loading StaticLoggerBinder in LogbackLoggingSystem.java, so it is not possible to upgrade SLF4J to 2.x or newer Logback versions.

[pjfanning]

There are quite a few users who haven't been able to upgrade to slf4j 2.x due to their dependency libs not having been modified to support slf4j 2.x. Apache Pekko is an example. Most features work when you use slf4j 2.x but we have seen a few issues and are trying to sort them out (work still not complete).

[specio]

+1 Spring 2.7.x is actively supported and only viable option for many Spring based products running on Java <17 It'd be great to see introducing this fix to Logback 1.2.x aswell.

[cseverino789]

+1 Also putting this a reference https://github.com/spring-projects/spring-boot/issues/34708 in regards to spring boot 2.7 vs 3.0 and why this will be an important issue for a lot of projects out there on 2.7

[mikebell90]

All the reasons other folks (namely spring boot) cite are affecting us too. Of course we could fork and push an internal fix, but I hate doing that when avoidable

[bvahdat]

Hi @ceki

Would you mind to review the backport of this CVE and release 1.2.13 afterwards?

[ceki]

Hi @bvahdat,

Thank you for the PR. However, the fix is being ported independently of your PR.

[bvahdat]

Hi @bvahdat,

Thank you for the PR. However, the fix is being ported independently of your PR.

Thanks @ceki for your feedback. I was not aware of this parallel effort going on as I don't see any corresponding PR for that in this repo.

Do you maybe have any estimation when 1.2.13 would be released including this fix?

[ceki]

Version 1.2.13 was released a few moments ago.

[joaoluis89]

HI LogBack Team and @ceki !

Do you know if there is a batch routine that runs on mvn central that removes the identified vulnerability? I asked because there on mvn central is still counting as vulnerable and I'm unfamiliar with mvn central deploys. Thanks for your effort!

[ceki]

@joaoluis89 Thank you for your feedback.

I presume that logback 1.2.13 fixing CVE-2023-6378 was not added to CVE record. I have made the relevant request and the appropriate edit should be applied soon.

[Kiemes]

Hi @ceki . Will your change in the advisory repo also update tools like Mend? https://www.mend.io/vulnerability-database/CVE-2023-6378

[ceki]

Hi @Kiemes, I do not know what how these various tools synchronize their data. However, I am happy to report that cve.org shows updated data as of this morning 9:00 UTC.

[Ribeiro]

@ceki While checking Maven Central Repo v 1.2.3 still shows Direct vulnerabilities: CVE-2023-6378. This is causing issues with our ORCA. Is there anything we can do on our part to help fix this matter?

[ceki]

@Ribeiro Logback version 1.2.13 was released fixing CVE-2023-6378. The link clearly documents this.

Also, CVE-2023-6378 at www.cve.org has the correct data.

Have you tried raising the issue with Maven Central Repo?

[Ribeiro]

@Ribeiro Logback version 1.2.13 was released fixing CVE-2023-6378. The link clearly documents this. Have you tried raising the issue with Maven Central Repo?

Hi @ceki Thanks for your prompt reply. I'll try that and back asap.

[ahiijny]

Unfortunately Maven Central still shows 1.2.13 as vulnerable to CVE-2023-6378 for some reason... https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.13

Have they responded?