gissehel commented 2 years ago

Hello,

As I've disabled everything running java on my server since the detection of Log4shell / CVE-2021-44228, I'm trying to gather informations about each project.

I'm no java dev at all. From what I understand, kroki doesn't seems to be vulnerable to CVE-2021-44228 (Log4Shell), but can you confirm it ?

Analysis

Here is my analysis:

kroki seems to use logback instead of log4j 2.x
logback doesn't seems to be vulnerable to Log4Shell
logback version 1.2.7 seems to be vulnerable to CVE-2021-42550, while it's not a problem comparable to Log4Shell as it require write access to configuration files
logback has been upgraded from version 1.2.7 to version 1.2.9 in kroki release 0.16.0

Question

Do you confirm that no version of kroki is vulnerable to log4shell ? If not, do you confirm that the last version of kroki is not vulnerable to log4shell ?

ggrossetie commented 2 years ago

Hello @gissehel

That's a good analysis 👍🏻

Do you confirm that no version of kroki is vulnerable to log4shell ? If not, do you confirm that the last version of kroki is not vulnerable to log4shell ?

That's correct, Kroki is not affected by the Log4j vulnerability. Kroki (including dependencies) does not use Log4j.

For reference, here's the complete dependency tree for the latest version 0.16.0:

Dependency tree

io.kroki:kroki-server:jar:0.16.0
+- io.vertx:vertx-core:jar:4.1.5:compile
|  +- io.netty:netty-common:jar:4.1.68.Final:compile
|  +- io.netty:netty-buffer:jar:4.1.68.Final:compile
|  +- io.netty:netty-transport:jar:4.1.68.Final:compile
|  +- io.netty:netty-handler:jar:4.1.68.Final:compile
|  |  \- io.netty:netty-codec:jar:4.1.68.Final:compile
|  +- io.netty:netty-handler-proxy:jar:4.1.68.Final:compile
|  |  \- io.netty:netty-codec-socks:jar:4.1.68.Final:compile
|  +- io.netty:netty-codec-http:jar:4.1.68.Final:compile
|  +- io.netty:netty-codec-http2:jar:4.1.68.Final:compile
|  +- io.netty:netty-resolver:jar:4.1.68.Final:compile
|  +- io.netty:netty-resolver-dns:jar:4.1.68.Final:compile
|  |  \- io.netty:netty-codec-dns:jar:4.1.68.Final:compile
|  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.4:compile
+- io.vertx:vertx-web:jar:4.1.5:compile
|  +- io.vertx:vertx-web-common:jar:4.1.5:compile
|  +- io.vertx:vertx-auth-common:jar:4.1.5:compile
|  \- io.vertx:vertx-bridge-common:jar:4.1.5:compile
+- io.vertx:vertx-web-client:jar:4.1.5:compile
+- io.vertx:vertx-config:jar:4.1.5:compile
+- org.slf4j:slf4j-api:jar:1.7.32:compile
+- ch.qos.logback:logback-classic:jar:1.2.9:compile
+- ch.qos.logback:logback-core:jar:1.2.9:compile
+- ch.qos.logback.contrib:logback-json-classic:jar:0.1.5:compile
|  \- ch.qos.logback.contrib:logback-json-core:jar:0.1.5:compile
+- io.kroki:umlet:jar:0.16.0:compile
|  \- com.umlet:umlet-mini:jar:14.3.0:compile
|     +- com.umlet:umlet-elements:jar:14.3.0:compile
|     +- com.umlet:umlet-res:jar:14.3.0:compile
|     +- org.apache.xmlgraphics:batik-dom:jar:1.8:compile
|     |  +- org.apache.xmlgraphics:batik-ext:jar:1.8:compile
|     |  +- org.apache.xmlgraphics:batik-util:jar:1.8:compile
|     |  \- org.apache.xmlgraphics:batik-xml:jar:1.8:compile
|     +- org.apache.xmlgraphics:batik-svggen:jar:1.8:compile
|     |  \- org.apache.xmlgraphics:batik-awt-util:jar:1.8:compile
|     +- com.itextpdf:itextpdf:jar:5.4.1:compile
|     \- org.sourceforge.jlibeps:jlibeps:jar:0.1:compile
+- ditaa:ditaa-mini:jar:0.14:compile
+- net.sourceforge.plantuml:plantuml:jar:1.2021.16:compile
+- guru.nidi.com.kitfox:svgSalamander:jar:1.1.3:compile
+- com.structurizr:structurizr-dsl:jar:1.16.0:compile
|  +- com.structurizr:structurizr-client:jar:1.9.10:runtime
|  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.5.1:runtime
|  |  +- org.apache.httpcomponents.client5:httpclient5:jar:5.0:runtime
|  |  |  +- org.apache.httpcomponents.core5:httpcore5:jar:5.0:runtime
|  |  |  +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.0:runtime
|  |  |  \- commons-codec:commons-codec:jar:1.13:runtime
|  |  \- javax.xml.bind:jaxb-api:jar:2.3.0:runtime
|  \- com.structurizr:structurizr-adr-tools:jar:1.3.8:runtime
+- com.structurizr:structurizr-export:jar:1.2.1:compile
|  \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
+- com.structurizr:structurizr-core:jar:1.9.10:compile
|  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.5:compile
|  \- commons-logging:commons-logging:jar:1.2:compile
+- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
|  +- org.opentest4j:opentest4j:jar:1.2.0:test
|  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
|  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
+- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
+- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
|  \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
+- org.assertj:assertj-core:jar:3.21.0:test
+- org.mockito:mockito-core:jar:4.2.0:test
|  +- net.bytebuddy:byte-buddy:jar:1.12.4:test
|  +- net.bytebuddy:byte-buddy-agent:jar:1.12.4:test
|  \- org.objenesis:objenesis:jar:3.2:test
+- io.vertx:vertx-codegen:jar:4.1.5:test
\- io.vertx:vertx-junit5:jar:4.1.5:test

gissehel commented 2 years ago

Ok thank you, that's answering my question.

yuzutech / kroki

Log4shell / CVE-2021-44228 : Status for kroki ? #1034

Analysis

Question