-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log4j / Log4shell vulnerability #6980
Comments
That issue does not affect ZAP. It was already updated in #6979. |
Further details have come to light regarding CVE-2021-45046, resulting in its severity being upgraded to a CVSS score of 9 (from 3.7) The latest stable zaproxy release (v2.11.1) still uses log4j2 < 2.16.0, with log4j-core (containing I think the mere potential of latent attack vectors in the latest stable release warrants cutting a new v2.11.2 release using log4j2 v2.16.0 (or potentially v2.17.0 that may be releasing soon) https://logging.apache.org/log4j/2.x/security.html
|
At the moment I disagree. |
Unfortunately RCE is not the only concern, there may still exist the potential for data exfiltration or unintended network activity for any Java software that logs external input via log4j2 <2.16.0 For the benefit of anyone else who's paranoid about the current zip -q -d /zap/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
Re-opening to facilitate discussion and hopefully prevent further duplicates. |
Could we change the title to just CVSS-10 | CVE-2021-44228 | 2.x | Unauthenticated Remote Code Execution |
Any target days when a new official release will be out with updated log4j libs? |
As previously stated we do not currently plan to have another release related to this. If someone is able to perform an RCE vs ZAP please report it via BugCrowd. |
Or if you can find any other non RCE Log4j related problem vs ZAP then just raise a new issue here. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I know you've said:
However, I'm obligated within the US Federal Govt to demonstrate that we've fully mitigated https://nvd.nist.gov/vuln/detail/CVE-2021-44228. And while you're correct that log4j 2.15.0 in ZAP is not vulnerable, that CVE still lists 2.16.0 and newer as the appropriate mitigation. So.... If you could cut a new release, it would save me, and others in a similar boat, from having to litigate this over and over again. If not, I can let folks here work on deploying from the weekly, which is suboptimal, but still works for us. In short: 2.17 would save us a lot of hassle. Thanks for considering!
Yes - compliance drones following directives without nuance is a "non-RCE Log4J related problem" 😁 |
Cutting a new release is time consuming for us and not something we want to do unless we really need to. |
Got it. Should I open a new issue for bumping to 2.17.0 or newer in a full release? If there are a lot of other folks in the same boat I am, they can comment/vote there, and you can decide on what's best. |
No this is the spot. |
I need a release with version 2.17.0 of log4j as well to be compliant with the policies in my organization as well. |
Thanks for letting us know. Feel free to refer your compliance team to this issue, and don't forget to read the User Group post that @psiinon mentioned. |
The new release with log4j 2.17.1 is highly appreciated. @psiinon |
@wrenashe sponsorship of ZAP is greatly appreciated :) |
I’m going to unpin this. It seems no one was concerned enough in the end to sponsor a fix/build. I believe the issue can actually be closed, we have upgraded dependencies to 2.17.1 and there does not currently seem to be anything newer. |
Sounds good. |
+1 |
What @psiinon did not explain in his statement is: Why it is so difficult and time consuming to create a new release for OWASP ZAP? Especially, in regards to log4j: only the log4j dependency would need to be upgraded to 2.17.2. This has probably no impact on OWASP ZAP. I partly understand the argument regarding Apache HttpClient 3.1. However, I would still argue, that upgrading dependencies should not be so difficult. Especially, statements like:
Source: https://groups.google.com/g/zaproxy-users/c/Wg-fKIZ2w6I/m/fPbI8wxuAwAJ I am not sure what is more concerning, the fact that Apache Commons HttpClient is not maintained or it has a CVE? In my case clearly both. |
The dependencies are already upgraded, feel free to use a weekly or support ZAP as discussed earlier. |
What is the price tag? 200 $ worth in money or time and we get the log4j release? I do understand and I agree, the companies using OWASP ZAP should give back in time or money. However, there are two aspects to consider:
Furthermore, if I invest time or money personally or as an organization my goal would be sustained growth. Paying, for a feature does not ensure the long term growth of the project. |
Your answer is not helpful at all. I read the discussion and still decided to comment on this issue. Try again, maybe you can give me a better answer on the question: Why it is so time consuming to create a new release? I really do not understand, why you are easily able to release every week, but creating full release is such a huge issue. |
The real question is why you feel entitled to an answer? We've stated it's a time sink, you can trust that or not. We would rather you do, but if you don't then okay..... We're all volunteers with other jobs. To give you a bit of insight. Doing a full release requires:
|
I dont have an accurate figure on how much a release costs us but its non trivial. |
TBH we hadnt got as far as putting a price on it.
How much are you talking about? $200? $2,000? $20,000? More? |
@Jeeppler IMHO, we should discuss more about this on the user list rather than in this closed issue. It will definitely gain more visibility on the user list. |
Thats what the groups are for - much better than discussions on closed issues :D |
@psiinon and @kingthorin thank you for the explanation. To summarize your explanation, the problems releasing a new version of Owasp Zap with an updated Log4j dependency is non-trivial as it requires a huge effort for the following reasons:
Furthermore, I would like @psiinon or @kingthorin to change the title to: Owasp Zap 2.11.1 uses Log4j 2.15. Log4j 2.15 is vulnerable to:
as @psiinon mentioned OWASP ZAP is not vulnerable to any of those vulnerabilities. Workarounds:
|
Issues are closed once the changes that address them are merged, as is the case. |
@thc202 can you link to the pull request? |
The pull requests are linked above. |
If you can prove some relevant impact from these details please submit it via BugCrowd. |
There the two latest have been linked 🔼 The 2.17.1 set are linked earlier in this issue (Dec 28). (They might be in a hidden comment block....GitHub Web UI folds things up at various points when there's lots of activity.) |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Describe the bug
log4j 2.15.x does not fully solve it – see https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/:
Software versions
The text was updated successfully, but these errors were encountered: