Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-44228 #12648

Closed
devicenull opened this issue Dec 13, 2021 · 14 comments
Closed

CVE-2021-44228 #12648

devicenull opened this issue Dec 13, 2021 · 14 comments
Labels
question security Pull requests that address a security vulnerability

Comments

@devicenull
Copy link

devicenull commented Dec 13, 2021

https://twitter.com/nluedtke1/status/1469435658389561345

It appears some configurations of log4j 1.x are vulnerable - is cyberduck using one of them?

@brunom
Copy link

brunom commented Dec 13, 2021

CD seems to be using a really old version (1.2.17)

<version>1.2.17</version>
that has other security issues https://www.cvedetails.com/cve/CVE-2019-17571/

@dkocher dkocher added question security Pull requests that address a security vulnerability labels Dec 13, 2021
@dkocher
Copy link
Contributor

dkocher commented Dec 13, 2021

As said we do not have a dependency for Apache Log4j 2. Also as a client side desktop application it does not seem relevant.

@dkocher dkocher closed this as completed Dec 13, 2021
@brunom
Copy link

brunom commented Dec 13, 2021

@dkocher Where was this discussed before? I searched but didn't find.
CD depends on log4J 1, not 2, but 1 seems to also be affected https://twitter.com/nluedtke1/status/1469435658389561345
Even as a client side app, maybe you connect to a server that has files with $ escapes that you log and run.

@devicenull
Copy link
Author

devicenull commented Dec 13, 2021

@dkocher log4j shows up in your pom.xml - so something appears to be using it?

I also see a config file for it - https://github.com/iterate-ch/cyberduck/blob/fa0aa0d5d7b07ec09a4c328b2c0cf9a56bf01c4d/core/src/main/resources/log4j.xml

As well as references to it in your code-

@dkocher
Copy link
Contributor

dkocher commented Dec 14, 2021

It makes sense to eventually move away/upgrade from Log4j 1.x but I see no immediate urgency in this dependency upgrade. I do not see that CVE-2019-17571 would affect us as from my understanding this usage would need to be explicitly configured.

@jpilgrim
Copy link

jpilgrim commented Dec 14, 2021

CVE-2019-17571 is related to log4j versions >= 1.2, <= 1.2.27. In the Cyberduck package, I find log4j-1.2.17. Why does that not affect Cyberduck, even though the version of log4j is affected?

@AliveDevil
Copy link
Contributor

AliveDevil commented Dec 14, 2021

Because that vulnerability only affects the log4j SocketServer which, when used to centrally log from remote clients, can execute arbitrary code. Cyberduck isn’t providing a central logging target so isn’t affected.

when listening to untrusted network traffic for log data

@brunom
Copy link

brunom commented Dec 14, 2021

Since log4j 1 is out of support, vulnerabilities aren't tracked and we have to assume that it's unsafe.

@dkocher
Copy link
Contributor

dkocher commented Dec 14, 2021

Since log4j 1 is out of support, vulnerabilities aren't tracked and we have to assume that it's unsafe.

Log4j 1.x does not feature the JNDI functionality that caused CVE-2021-44228

@dkocher dkocher changed the title Is cyberduck vulnerable to log4j issues? CVE-2021-44228 Dec 14, 2021
@brunom
Copy link

brunom commented Dec 14, 2021

But it may have other undocumented issues.

@dkocher
Copy link
Contributor

dkocher commented Dec 14, 2021

But it may have other undocumented issues.

Like any software.

@brunom
Copy link

brunom commented Dec 14, 2021

log4j maintainers only document and fix issues on supported versions. Using log4j 1 is like using Windows XP: you don't even know the ways you could get attacked.

@boshuis
Copy link

boshuis commented Dec 21, 2021

There are already quite a number of (large) companies that do not allow any old (vulnerable) log4j libraries on employees laptops. Without a proper version of log4j, cyberduck is not working anymore since the library is automatically removed from company devices.

@dkocher
Copy link
Contributor

dkocher commented Dec 23, 2021

There are already quite a number of (large) companies that do not allow any old (vulnerable) log4j libraries on employees laptops. Without a proper version of log4j, cyberduck is not working anymore since the library is automatically removed from company devices.

I have opened #12706.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question security Pull requests that address a security vulnerability
Projects
None yet
Development

No branches or pull requests

6 participants