Is Timbre affected by Log4Shell CVE-2021-44228?

[theronic]

If I'm using Timbre "out of the box", do I need to be concerned about CVE-2021-44228?

[ptaoussanis]

@theronic Hi Petrus, thanks for bringing this to my attention.

Short answer:

Based on my understanding of your linked CVE page: you should be safe so long as you have no dependency on Log4j.

Details:

• It looks like the issue is related to a variable-substitution feature in Log4j interacting with LDAP.
• Timbre has no such feature. The closest thing Timbre uses is java.util.Formatter.
• Timbre by default has no dependency on Log4j, or any other Java logging library or infrastructure.

The main concern is if both of the following are true:

1. You do have a Log4j dependency (e.g. some other library you're using has a transitive Log4j dependency without you realising it).
2. You also have endpoint/s that could trigger Log4j logging of user-provided content. Note that even if you do have a Log4j dependency, Timbre would not automatically send anything to it. But if some library is pulling in a Log4j dependency, it's likely because that library [might] use Log4j for logging itself. I.e. it's conceivable that the library could issue logging calls without you being aware.

What I'd recommend:

1. Check lein deps :tree or similar. If you see no log4j dependency, you should be safe.
2. If you do see a log4j dependency, then you'll may need to follow one or more of the mitigation suggestions on the CVE page, for example:
   • Ensure that there's no endpoint that an attacker could use to trigger Log4j logging with the attacker's payload.
   • Ensure sufficient JVM and/or Log4j version.

Hope that's helpful.

[KaliszAd]

It seems, it is not as easy as that. Check this as well

jar tf uberjar.jar | grep log4j

It might be included there without being listed elsewhere.

and lein deps :tree 2>&1 | grep log4j or lein deps :tree 2>&1 | grep <your lib you suspect of having a vulnerable log4j as a dependency.

[ptaoussanis]

@KaliszAd Hi Adam, thanks for the assistance! 🙏

I wasn't aware that a Clojure Uberjar can contain dependencies not listed by lein deps :tree. Can you provide an example of how that could happen, or a source with more info? Would be interested in understanding this better.

Cheers

[KaliszAd]

@ptaoussanis There was a discussion around that on Clojurians I have seen. Here is a link https://clojurians.slack.com/archives/C03RZGPG3/p1639355694394000?thread_ts=1639213808.334100&cid=C03RZGPG3 It seems, profiles can alter what you get without lein deps :tree showing it. Or presumably a dependency can just include a jar. https://clojurians.slack.com/archives/C03RZGPG3/p1639355754395300

[ptaoussanis]

I'm not a member of the linked Slack group, so can't comment on the discussion there. But in any case, would agree that it doesn't hurt to be extra cautious and [/also] check the jar directly 👍