Re: Maven Dependency Plugin - Log4j vulnerabilities
This appears to be plugin dependencies though, not project dependencies. The issue should really be raised with whatever plugin is causing it to be used. My recollection is that Maven itself hasn’t used Log4j in quite some time for logging. Ralph > On Mar 3, 2022, at 8:21 AM, Gary Gregory wrote: > > Also note that in log4j 2.17.2 that was released a few days ago, I added > many improvements to the log4j-1.2-api module which aims to provide > compatibility with 1.2. > > Gary > > On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels wrote: > >> All of the (known) remaining log4j1.x security bugs (none of which are as >> severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick >> with 1.2 you should use that. Otherwise you can try to migrate to the log4j >> bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. >> >> Gruss >> Bernd >> -- >> http://bernd.eckenfels.net >> >> Von: Martin Gainty >> Gesendet: Thursday, March 3, 2022 1:18:50 PM >> An: Maven Developers List >> Cc: David Milet ; iss...@maven.apache.org < >> iss...@maven.apache.org>; VZ-Product-OneTalk < >> vz-product-onet...@verizon.com>; Danylo Volokh < >> danylo.vol...@globallogic.com> >> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities >> >> I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security >> Vulnerabity? >> Is this not the case? >> Thanks John >> M. >> >> >> >> Sent from my Verizon, Samsung Galaxy smartphone >> >> >> >> Original message >> From: John Patrick >> Date: 3/3/22 4:07 AM (GMT-05:00) >> To: Maven Developers List >> Cc: David Milet , iss...@maven.apache.org, >> VZ-Product-OneTalk , Danylo Volokh < >> danylo.vol...@globallogic.com> >> Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities >> >> Sorry I thought you where talking about log4j v2, not v1. I can see it >> downloads the metadata about the project but non or the jars; >> local-repo/log4j >> local-repo/log4j/log4j >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 >> local-repo/log4j >> local-repo/log4j/log4j >> local-repo/log4j/log4j/1.2.12 >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 >> local-repo/log4j/log4j/1.2.12/_remote.repositories >> >> So I would still say false positive, as the jar is not actually used. >> >> But looking at the dependency tree it would need the apache commons to >> update commons-logging:commons-logging, then >> ommons-digester:commons-digester then org.apache.velocity:velocity-tools, >> then it gets to the 1st dependency within the maven ecosystem. >> So 5 ish patches to 5 separate projects to upgrade, test and release, each >> before then next pr can progress. >> >> John >> >> >> On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs wrote: >> >>> That was just to demonstrate how i got the dependency chain, that file >>> was there, but if you're going to be this hostile, i'm not interested >>> anymore, muting thread >>> >>> On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło >>> wrote: On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > Can confirm this project downloads log4j 1.12.12 for me As I see it - you confirm something else. > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: _artifact descriptor_ -- Piotrek - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> For additional commands, e-mail: dev-h...@maven.apache.org >>> >>> >> - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Maven Dependency Plugin - Log4j vulnerabilities
Also note that in log4j 2.17.2 that was released a few days ago, I added many improvements to the log4j-1.2-api module which aims to provide compatibility with 1.2. Gary On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels wrote: > All of the (known) remaining log4j1.x security bugs (none of which are as > severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick > with 1.2 you should use that. Otherwise you can try to migrate to the log4j > bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. > > Gruss > Bernd > -- > http://bernd.eckenfels.net > > Von: Martin Gainty > Gesendet: Thursday, March 3, 2022 1:18:50 PM > An: Maven Developers List > Cc: David Milet ; iss...@maven.apache.org < > iss...@maven.apache.org>; VZ-Product-OneTalk < > vz-product-onet...@verizon.com>; Danylo Volokh < > danylo.vol...@globallogic.com> > Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities > > I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security > Vulnerabity? > Is this not the case? > Thanks John > M. > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > Original message > From: John Patrick > Date: 3/3/22 4:07 AM (GMT-05:00) > To: Maven Developers List > Cc: David Milet , iss...@maven.apache.org, > VZ-Product-OneTalk , Danylo Volokh < > danylo.vol...@globallogic.com> > Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities > > Sorry I thought you where talking about log4j v2, not v1. I can see it > downloads the metadata about the project but non or the jars; > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12 > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j/log4j/1.2.12/_remote.repositories > > So I would still say false positive, as the jar is not actually used. > > But looking at the dependency tree it would need the apache commons to > update commons-logging:commons-logging, then > ommons-digester:commons-digester then org.apache.velocity:velocity-tools, > then it gets to the 1st dependency within the maven ecosystem. > So 5 ish patches to 5 separate projects to upgrade, test and release, each > before then next pr can progress. > > John > > > On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs wrote: > > > That was just to demonstrate how i got the dependency chain, that file > > was there, but if you're going to be this hostile, i'm not interested > > anymore, muting thread > > > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło > > wrote: > > > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > > > As I see it - you confirm something else. > > > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > _artifact descriptor_ > > > > > > -- > > > Piotrek > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > >
Re: Maven Dependency Plugin - Log4j vulnerabilities
Do note that reload4j is not 100% compatible with log4j 1.2.17, code has just be deleted to "fix" some CVEs. Gary On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels wrote: > All of the (known) remaining log4j1.x security bugs (none of which are as > severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick > with 1.2 you should use that. Otherwise you can try to migrate to the log4j > bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. > > Gruss > Bernd > -- > http://bernd.eckenfels.net > > Von: Martin Gainty > Gesendet: Thursday, March 3, 2022 1:18:50 PM > An: Maven Developers List > Cc: David Milet ; iss...@maven.apache.org < > iss...@maven.apache.org>; VZ-Product-OneTalk < > vz-product-onet...@verizon.com>; Danylo Volokh < > danylo.vol...@globallogic.com> > Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities > > I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security > Vulnerabity? > Is this not the case? > Thanks John > M. > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > Original message > From: John Patrick > Date: 3/3/22 4:07 AM (GMT-05:00) > To: Maven Developers List > Cc: David Milet , iss...@maven.apache.org, > VZ-Product-OneTalk , Danylo Volokh < > danylo.vol...@globallogic.com> > Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities > > Sorry I thought you where talking about log4j v2, not v1. I can see it > downloads the metadata about the project but non or the jars; > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12 > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j/log4j/1.2.12/_remote.repositories > > So I would still say false positive, as the jar is not actually used. > > But looking at the dependency tree it would need the apache commons to > update commons-logging:commons-logging, then > ommons-digester:commons-digester then org.apache.velocity:velocity-tools, > then it gets to the 1st dependency within the maven ecosystem. > So 5 ish patches to 5 separate projects to upgrade, test and release, each > before then next pr can progress. > > John > > > On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs wrote: > > > That was just to demonstrate how i got the dependency chain, that file > > was there, but if you're going to be this hostile, i'm not interested > > anymore, muting thread > > > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło > > wrote: > > > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > > > As I see it - you confirm something else. > > > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > _artifact descriptor_ > > > > > > -- > > > Piotrek > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > >
Re: Maven Dependency Plugin - Log4j vulnerabilities
All of the (known) remaining log4j1.x security bugs (none of which are as severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick with 1.2 you should use that. Otherwise you can try to migrate to the log4j bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. Gruss Bernd -- http://bernd.eckenfels.net Von: Martin Gainty Gesendet: Thursday, March 3, 2022 1:18:50 PM An: Maven Developers List Cc: David Milet ; iss...@maven.apache.org ; VZ-Product-OneTalk ; Danylo Volokh Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security Vulnerabity? Is this not the case? Thanks John M. Sent from my Verizon, Samsung Galaxy smartphone Original message From: John Patrick Date: 3/3/22 4:07 AM (GMT-05:00) To: Maven Developers List Cc: David Milet , iss...@maven.apache.org, VZ-Product-OneTalk , Danylo Volokh Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities Sorry I thought you where talking about log4j v2, not v1. I can see it downloads the metadata about the project but non or the jars; local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12 local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j/log4j/1.2.12/_remote.repositories So I would still say false positive, as the jar is not actually used. But looking at the dependency tree it would need the apache commons to update commons-logging:commons-logging, then ommons-digester:commons-digester then org.apache.velocity:velocity-tools, then it gets to the 1st dependency within the maven ecosystem. So 5 ish patches to 5 separate projects to upgrade, test and release, each before then next pr can progress. John On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs wrote: > That was just to demonstrate how i got the dependency chain, that file > was there, but if you're going to be this hostile, i'm not interested > anymore, muting thread > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło > wrote: > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > As I see it - you confirm something else. > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > _artifact descriptor_ > > > > -- > > Piotrek > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
RE: Maven Dependency Plugin - Log4j vulnerabilities
I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security Vulnerabity? Is this not the case? Thanks John M. Sent from my Verizon, Samsung Galaxy smartphone Original message From: John Patrick Date: 3/3/22 4:07 AM (GMT-05:00) To: Maven Developers List Cc: David Milet , iss...@maven.apache.org, VZ-Product-OneTalk , Danylo Volokh Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities Sorry I thought you where talking about log4j v2, not v1. I can see it downloads the metadata about the project but non or the jars; local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12 local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j/log4j/1.2.12/_remote.repositories So I would still say false positive, as the jar is not actually used. But looking at the dependency tree it would need the apache commons to update commons-logging:commons-logging, then ommons-digester:commons-digester then org.apache.velocity:velocity-tools, then it gets to the 1st dependency within the maven ecosystem. So 5 ish patches to 5 separate projects to upgrade, test and release, each before then next pr can progress. John On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs wrote: > That was just to demonstrate how i got the dependency chain, that file > was there, but if you're going to be this hostile, i'm not interested > anymore, muting thread > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło > wrote: > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > As I see it - you confirm something else. > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > _artifact descriptor_ > > > > -- > > Piotrek > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: Maven Dependency Plugin - Log4j vulnerabilities
Hey guys Let’s be courteous and civil. As part of vulnerability management, an assessment has to be made about the potential security impact of a vulnerability in software. New vulnerabilities are found every day on older components and it is not practical nor feasible to chase down every rabbit. What I read from this chain is 1. The business application is not exposed to any log4j vulnerability - that’s the most important 2. The maven build environment might (can’t confirm at this point) download a transitive dependency on log4j 1.x which has a newly found vulnerability. IMHO the impact is low. it’s a build environment, not actual business application and you surely don’t (and shouldn’t) build on your production systems. The probability of occurrence of an attack on this is probably null, knowing that attack vectors on log4j involve tricking the exposed application into logging something malicious, and a build environment does not expose logging to outside like a web app would. Based on this, I’d flag those occurrences at the scanner as assessed and ignored and move on. As a best practice, clean up your build environment after each build. Or use ephemeral containerized build environments. > On Mar 3, 2022, at 02:53, Thomas Matthijs wrote: > > That was just to demonstrate how i got the dependency chain, that file > was there, but if you're going to be this hostile, i'm not interested > anymore, muting thread > >> On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło wrote: >> >>> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: >>> >>> Can confirm this project downloads log4j 1.12.12 for me >> >> As I see it - you confirm something else. >> >>> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >> >> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >> _artifact descriptor_ >> >> -- >> Piotrek >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Maven Dependency Plugin - Log4j vulnerabilities
Sorry I thought you where talking about log4j v2, not v1. I can see it downloads the metadata about the project but non or the jars; local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12 local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j/log4j/1.2.12/_remote.repositories So I would still say false positive, as the jar is not actually used. But looking at the dependency tree it would need the apache commons to update commons-logging:commons-logging, then ommons-digester:commons-digester then org.apache.velocity:velocity-tools, then it gets to the 1st dependency within the maven ecosystem. So 5 ish patches to 5 separate projects to upgrade, test and release, each before then next pr can progress. John On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs wrote: > That was just to demonstrate how i got the dependency chain, that file > was there, but if you're going to be this hostile, i'm not interested > anymore, muting thread > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło > wrote: > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > As I see it - you confirm something else. > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > _artifact descriptor_ > > > > -- > > Piotrek > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
