Closed fipro78 closed 2 years ago
@fipro78 CVE-2021-4104 has been fixed by hardening JMSAppender and not by removal. Is log4j2-scan checking for the removal of JMSAppender?
To be honest, I have no idea as I am just a user. But I have now also opened a ticket in logpresso. Maybe this way a communication can be established to solve the issue together.
https://github.com/logpresso/CVE-2021-44228-Scanner/issues/271
I think logpresso currently only checks if the JMSAppender class exists in the codebase and shows that output without checking it further.
See https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/src/main/java/com/logpresso/scanner/Detector.java#L280 and https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/src/main/java/com/logpresso/scanner/Detector.java#L352-L353
logpresso added a special handling for reload4j, so this issue can be closed.
I downloaded reload4j 1.2.18.4 from Maven Central and executed logpresso [1] on it via
I get the following output:
I don't know how logpresso actually works to identify the issue. But as the intention of reload4j is to fix CVE-2021-4104, there seems to be some inconsistency. Not sure if the ticket is placed correctly here or if it should be opened in the logpresso repository. Any insights would be helpful to get a consistent view on the fix provided via reload4j to avoid confusions.
[1] https://github.com/logpresso/CVE-2021-44228-Scanner