log4j-core-2.7.jar: 3 vulnerabilities (highest severity is: 9.2) #79
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
1 task
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Apache Log4j Implementation
Library home page: http://logging.apache.org/log4j/2.x/log4j-core/
Path to dependency file: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - log4j-core-2.7.jar
The Apache Log4j Implementation
Library home page: http://logging.apache.org/log4j/2.x/log4j-core/
Path to dependency file: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Publish Date: 2017-04-17
URL: CVE-2017-5645
CVSS 4 Score Details (9.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
Release Date: 2017-04-17
Fix Resolution: 2.8.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-core-2.7.jar
The Apache Log4j Implementation
Library home page: http://logging.apache.org/log4j/2.x/log4j-core/
Path to dependency file: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: 2.12.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - log4j-core-2.7.jar
The Apache Log4j Implementation
Library home page: http://logging.apache.org/log4j/2.x/log4j-core/
Path to dependency file: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Publish Date: 2021-12-14
URL: CVE-2021-45046
CVSS 4 Score Details (0.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Physical
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-14
Fix Resolution: 2.12.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: