Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-44228 #628

Closed
mattronix opened this issue Dec 11, 2021 · 5 comments
Closed

CVE-2021-44228 #628

mattronix opened this issue Dec 11, 2021 · 5 comments

Comments

@mattronix
Copy link

Hello Team,

we see log4j in the code base, not super savy with Java but could you confirm if the software is at risk of https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java (CVE-2021-44228)?

@mayyit
Copy link

mayyit commented Dec 11, 2021

Same question here. The log4j version with 2.0.0 is log4j-1.2.17.jar, which itself is no longer supported according to
https://logging.apache.org/log4j/1.2/ which then also refers to an older CVE https://www.cvedetails.com/cve/CVE-2019-17571/ that seems to have similar issues.

I'm taking down the app until we get some certainty around this issue.

@muppeth
Copy link

muppeth commented Dec 12, 2021

@mattronix according to https://groups.google.com/g/pwm-general/c/mjf4fEzz0b0 pwm is not affected cause it uses even older log4j lib :\

@jrivard
Copy link
Contributor

jrivard commented Dec 12, 2021

PWM (all versions) uses log4j v1, which is not affected by this CVE. Though the deprecated v1 is used, as far as I'm aware the configuration and libraries used are not affected by older v1 CVEs.

Unfortunately, updating to v2 is not trivial. It was attempted and ultimately abandoned because v2's feature bloat and complexity made it not a good fit for PWM and would have required substantial rewrite of code and change of features. There is an ongoing effort to replace log4j with slf4j/logback.

@bmj8409
Copy link

bmj8409 commented Jan 27, 2022

Appreciate your work on this tool. It has been very useful to our organization. Unfortunately, we will have to decommission its use until the Log4j is updated to at least 2.16+ or replaced with slf4j/logback. Our security dept. is not allowing the older 1.2.x

@jrivard
Copy link
Contributor

jrivard commented Jul 25, 2022

v2.0.2 release replaces log4j with reload4j. This doesn't fix any security issues (there aren't any with our usage of log4j), but it may make your scanners happier. (commit 3a3c137)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants