ceki
commented
2 years ago @fipro78 CVE-2021-4104 has been fixed by hardening JMSAppender and not by removal. Is log4j2-scan checking for the removal of JMSAppender?
Closed fipro78 closed 2 years ago
ceki
commented
2 years ago @fipro78 CVE-2021-4104 has been fixed by hardening JMSAppender and not by removal. Is log4j2-scan checking for the removal of JMSAppender?
fipro78
commented
2 years ago To be honest, I have no idea as I am just a user. But I have now also opened a ticket in logpresso. Maybe this way a communication can be established to solve the issue together.
https://github.com/logpresso/CVE-2021-44228-Scanner/issues/271
123Haynes
commented
2 years ago I think logpresso currently only checks if the JMSAppender class exists in the codebase and shows that output without checking it further.
See https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/src/main/java/com/logpresso/scanner/Detector.java#L280 and https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/src/main/java/com/logpresso/scanner/Detector.java#L352-L353
fipro78
commented
2 years ago logpresso added a special handling for reload4j, so this issue can be closed.
I downloaded reload4j 1.2.18.4 from Maven Central and executed logpresso [1] on it via
I get the following output:
I don't know how logpresso actually works to identify the issue. But as the intention of reload4j is to fix CVE-2021-4104, there seems to be some inconsistency. Not sure if the ticket is placed correctly here or if it should be opened in the logpresso repository. Any insights would be helpful to get a consistent view on the fix provided via reload4j to avoid confusions.
[1] https://github.com/logpresso/CVE-2021-44228-Scanner