Backport CVE-2024-12801 & CVE-2024-12798 to 1.2.x?

[domainname]

Any plan to backport CVE-2024-12801 & CVE-2024-12798 to 1.2.x?
Spring Boot 2.7 doesn't support logback 1.3.x or later.

[ceki]

Hello @domainname,

There are no current plans to backport these fixes to the 1.2.x branch.

However, you can set Spring-boot LoggingSystem parameter to none:

-Dorg.springframework.boot.logging.LoggingSystem=none

You also have the option of championing a logback release.

[FieteO]

I would also really appreciate a backport. Since spring boot 2.X will not be made compatible with slf4j-api 2.0.X, users that are stuck on spring-boot 2 (for instance because of libraries that are not working with Java 17) have no way of resolving these vulnerabilities

[scrain]

I could use a backport for my organization as well. I would be willing to help with PR if there is willingness to publish a patch.

[simontoens]

In our org we have a lot of projects still stuck on Spring Boot 2 as well - the migration to sb3 is very slow for reasons. A backport would be greatly appreciated. Also willing to help with PR.

[hazendaz]

For spring boot 2 users, see spring-projects/spring-boot#12649 which shows how to work around and use latest slf4j/logback.

[ceki]

@hazendaz This is very helpful. Thank you for the pointer.

[sbernard31]

@ceki some people propose help to backport the fix and you didn't answer about that.
logback seems to be a community project, so naively I expected that this kind of initiative should be encouraged ?

[ceki]

@sbernard31 Thank you for your input. The difficulty is not back-porting the fix, removing the JaninoEventEvaluator is not difficult. The difficulty resides in the time it takes to make a release from the 1.2.x branch and updating the CVE information through a third party. Moreover, the 1.2.x branch is marked as UNMAINTAINED. As everyone else, I also need to manage my priorities.

Also as mentioned above, for those using Spring 2.7, setting the org.springframework.boot.logging.LoggingSystem system property to none allows upgrading to logback 1.5.x. I hope this clarifies the matter.

[sbernard31]

The difficulty resides in the time it takes to make a release from the 1.2.x branch and updating the CVE information through a third party

I manage an open source project too, so I understand this could take time but I guess this is probably a couple of hour.
(I talk about release + CVE information. Not the backport itself)

Moreover, the 1.2.x branch is marked as UNMAINTAINED.

I understand but here we don't talk about news feature but fixing security issue which could make the library unusable.
Maybe for some people it is really difficult to migrate (could be lot of time) and they prefer to invest their time to contribute on backporting security issue (for the benefit of the community) it's too bad this is stopped for couple of hour of works.

Also as mentioned above, for those using Spring 2.7, setting the org.springframework.boot.logging.LoggingSystem system property to none allows upgrading to logback 1.5.x. I hope this clarifies the matter.

On my side, I'm using it for demos of an open source library which have java7 as minimal requirement.
As this is just demo(not production ready tool), I can live with it. I just reacted because we are a lot to regret there is not much contribution to open source and so it's too bad that people proposing help was ignored.

Anyway, thx for taking time to answer 🙏
(and I understand that sometime couple of hour is hard to find when we manage open source project)

[Laurence60025]

Hello @ceki ,

Thank you for your detailed response regarding the challenges of backporting fixes for CVE-2024-12801 and CVE-2024-12798, as well as the explanation of alternatives for addressing these vulnerabilities in newer versions.

Based on the official announcement for Logback 1.3.15, it appears that removing JaninoEventEvaluator and adjusting SaxEventRecorder are the key measures to address these CVEs. Given that we still have a need to use the 1.2.x branch, I would like to confirm the following:

If we manually make the following changes in the 1.2.x branch:

1. Remove JaninoEventEvaluator;
2. Update SaxEventRecorderto reflect the fixes made in 1.3.15;

Would these adjustments be sufficient to fully mitigate the risks associated with CVE-2024-12801 and CVE-2024-12798? Or are there additional changes or considerations (e.g., addressing related vulnerabilities or configurations) required to ensure the system's security?

We understand that the 1.2.x branch is marked as UNMAINTAINED and greatly appreciate the time and effort you have dedicated to this project. However, your confirmation on this matter would help us ensure our manual adjustments are aligned with the intended security fixes.

Thank you for your guidance and support!

[ceki]

@Laurence60025 The steps you mention sound correct.

[sbernard31]

It's really too bad that everyone did that fix on their own. Instead of having it shared in an opensource project ... 😞

[ceki]

FYI, version 1.3.17 was released on 2024-12-28.