Log4j / Log4shell vulnerability #6980
Comments
|
That issue does not affect ZAP. It was already updated in #6979. |
|
Further details have come to light regarding CVE-2021-45046, resulting in its severity being upgraded to a CVSS score of 9 (from 3.7) The latest stable zaproxy release (v2.11.1) still uses log4j2 < 2.16.0, with log4j-core (containing I think the mere potential of latent attack vectors in the latest stable release warrants cutting a new v2.11.2 release using log4j2 v2.16.0 (or potentially v2.17.0 that may be releasing soon) https://logging.apache.org/log4j/2.x/security.html
|
|
At the moment I disagree. |
|
Unfortunately RCE is not the only concern, there may still exist the potential for data exfiltration or unintended network activity for any Java software that logs external input via log4j2 <2.16.0 For the benefit of anyone else who's paranoid about the current zip -q -d /zap/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
|
Re-opening to facilitate discussion and hopefully prevent further duplicates. |
|
Could we change the title to just CVSS-10 | CVE-2021-44228 | 2.x | Unauthenticated Remote Code Execution |
kingthorin
changed the title
thc202
changed the title
|
Any target days when a new official release will be out with updated log4j libs? |
|
As previously stated we do not currently plan to have another release related to this. If someone is able to perform an RCE vs ZAP please report it via BugCrowd. |
|
Or if you can find any other non RCE Log4j related problem vs ZAP then just raise a new issue here. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
I know you've said:
However, I'm obligated within the US Federal Govt to demonstrate that we've fully mitigated https://nvd.nist.gov/vuln/detail/CVE-2021-44228. And while you're correct that log4j 2.15.0 in ZAP is not vulnerable, that CVE still lists 2.16.0 and newer as the appropriate mitigation. So.... If you could cut a new release, it would save me, and others in a similar boat, from having to litigate this over and over again. If not, I can let folks here work on deploying from the weekly, which is suboptimal, but still works for us. In short: 2.17 would save us a lot of hassle. Thanks for considering!
Yes - compliance drones following directives without nuance is a "non-RCE Log4J related problem" 😁 |
|
Cutting a new release is time consuming for us and not something we want to do unless we really need to. |
|
Got it. Should I open a new issue for bumping to 2.17.0 or newer in a full release? If there are a lot of other folks in the same boat I am, they can comment/vote there, and you can decide on what's best. |
No this is the spot. |
|
I need a release with version 2.17.0 of log4j as well to be compliant with the policies in my organization as well. |
|
Thanks for letting us know. Feel free to refer your compliance team to this issue, and don't forget to read the User Group post that @psiinon mentioned. |
|
The new release with log4j 2.17.1 is highly appreciated. @psiinon |
|
@wrenashe sponsorship of ZAP is greatly appreciated :) |
|
I’m going to unpin this. It seems no one was concerned enough in the end to sponsor a fix/build. I believe the issue can actually be closed, we have upgraded dependencies to 2.17.1 and there does not currently seem to be anything newer. |
|
Sounds good. |
|
+1 |
|
What @psiinon did not explain in his statement is: Why it is so difficult and time consuming to create a new release for OWASP ZAP? Especially, in regards to log4j: only the log4j dependency would need to be upgraded to 2.17.2. This has probably no impact on OWASP ZAP. I partly understand the argument regarding Apache HttpClient 3.1. However, I would still argue, that upgrading dependencies should not be so difficult. Especially, statements like:
Source: https://groups.google.com/g/zaproxy-users/c/Wg-fKIZ2w6I/m/fPbI8wxuAwAJ I am not sure what is more concerning, the fact that Apache Commons HttpClient is not maintained or it has a CVE? In my case clearly both. |
|
The dependencies are already upgraded, feel free to use a weekly or support ZAP as discussed earlier. |
|
What is the price tag? 200 $ worth in money or time and we get the log4j release? I do understand and I agree, the companies using OWASP ZAP should give back in time or money. However, there are two aspects to consider:
Furthermore, if I invest time or money personally or as an organization my goal would be sustained growth. Paying, for a feature does not ensure the long term growth of the project. |
Your answer is not helpful at all. I read the discussion and still decided to comment on this issue. Try again, maybe you can give me a better answer on the question: Why it is so time consuming to create a new release? I really do not understand, why you are easily able to release every week, but creating full release is such a huge issue. |
|
The real question is why you feel entitled to an answer? We've stated it's a time sink, you can trust that or not. We would rather you do, but if you don't then okay..... We're all volunteers with other jobs. To give you a bit of insight. Doing a full release requires:
|
|
I dont have an accurate figure on how much a release costs us but its non trivial. |
TBH we hadnt got as far as putting a price on it.
How much are you talking about? $200? $2,000? $20,000? More? |
|
@Jeeppler IMHO, we should discuss more about this on the user list rather than in this closed issue. It will definitely gain more visibility on the user list. |
|
Thats what the groups are for - much better than discussions on closed issues :D |
|
@psiinon and @kingthorin thank you for the explanation. To summarize your explanation, the problems releasing a new version of Owasp Zap with an updated Log4j dependency is non-trivial as it requires a huge effort for the following reasons:
Furthermore, I would like @psiinon or @kingthorin to change the title to: Owasp Zap 2.11.1 uses Log4j 2.15. Log4j 2.15 is vulnerable to:
as @psiinon mentioned OWASP ZAP is not vulnerable to any of those vulnerabilities. Workarounds:
|
|
Issues are closed once the changes that address them are merged, as is the case. |
|
@thc202 can you link to the pull request? |
|
The pull requests are linked above. |
If you can prove some relevant impact from these details please submit it via BugCrowd. |
|
There the two latest have been linked 🔼 The 2.17.1 set are linked earlier in this issue (Dec 28). (They might be in a hidden comment block....GitHub Web UI folds things up at various points when there's lots of activity.) |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Describe the bug
log4j 2.15.x does not fully solve it – see https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/:
Software versions
The text was updated successfully, but these errors were encountered: