Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log4j Vulnerability Identified in Docker Image #386

Open
CraigOpie opened this issue Nov 27, 2024 · 0 comments
Open

Log4j Vulnerability Identified in Docker Image #386

CraigOpie opened this issue Nov 27, 2024 · 0 comments

Comments

@CraigOpie
Copy link

CraigOpie commented Nov 27, 2024

Update Log4j Dependency to a Supported Version to Address Vulnerabilities

Description

The current implementation of codeclimate-duplication includes dependencies on Apache Log4j version 1.x, as identified by a security scan. This version is end-of-life (EOL) and contains multiple high-severity vulnerabilities, including remote code execution (RCE) risks. Updating to a supported version (Log4j 2.17.2 or later) is necessary to address these security concerns.


Detected Vulnerabilities

  1. Apache Log4j 1.x Multiple Vulnerabilities (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302):

    • EOL status implies no future patches, leaving the system exposed to critical issues.
    • Risk of arbitrary code execution due to deserialization of untrusted data.
  2. Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104):

    • Vulnerable when JMSAppender is configured.
    • Exploitable by an attacker to execute arbitrary code.

Path Identified:

  • /srv/containers/gitlab-runner/overlay/<hash>/diff/home/app/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar

Recommended Actions

  1. Upgrade:

    • Update to Log4j 2.17.2 or the latest stable version.
    • Ensure any configuration files (e.g., log4j.properties) are compatible with Log4j 2.x.
  2. Review Usage:

    • Identify where Log4j 1.x is being used in the codebase.
    • Confirm no insecure appenders (e.g., JMSAppender) are in use.
  3. Testing:

    • Perform rigorous testing to validate logging functionality post-upgrade.
    • Include security testing to ensure mitigation of identified vulnerabilities.

References


Addressing this issue is critical to maintaining the security and integrity of systems utilizing codeclimate-duplication. If further assistance is needed, I am happy to provide additional details or support testing efforts.

Thank you for your attention to this matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant