logback-classic-1.2.3.jar: 3 vulnerabilities (highest severity is: 8.7) reachable

[ws-on-ws]

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /wss-agent-hash-calculator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (logback-classic version)	Remediation Possible**	Reachability
CVE-2023-6378	High	8.7	logback-classic-1.2.3.jar	Direct	1.2.13	✅	Reachable
CVE-2021-42550	High	7.5	detected in multiple dependencies	Transitive	1.2.8	✅	Reachable
CVE-2023-6481	High	8.7	logback-core-1.2.3.jar	Transitive	1.2.13	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6378

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /wss-agent-hash-calculator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

• ❌ logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.whitesource.agent.hash.FileUtils (Application)
  -> org.slf4j.LoggerFactory (Extension)
   -> org.slf4j.impl.StaticLoggerBinder (Extension)
    -> ch.qos.logback.classic.joran.JoranConfigurator (Extension)
    ...
      -> ch.qos.logback.classic.net.SocketAppender (Extension)
       -> ch.qos.logback.classic.net.LoggingEventPreSerializationTransformer (Extension)
        -> ❌ ch.qos.logback.classic.spi.LoggingEventVO (Vulnerable Component)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: 1.2.13

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-42550

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /wss-agent-hash-calculator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

• logback-classic-1.2.3.jar (Root Library)
  • ❌ logback-core-1.2.3.jar (Vulnerable Library)

logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /wss-agent-hash-calculator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

• ❌ logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.whitesource.agent.hash.FileUtils (Application)
  -> org.slf4j.LoggerFactory (Extension)
   -> org.slf4j.impl.StaticLoggerBinder (Extension)
    -> ch.qos.logback.classic.util.ContextSelectorStaticBinder (Extension)
     -> ❌ ch.qos.logback.core.util.OptionHelper (Vulnerable Component)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 4 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (ch.qos.logback:logback-classic): 1.2.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-6481

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /wss-agent-hash-calculator/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

• logback-classic-1.2.3.jar (Root Library)
  • ❌ logback-core-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution (ch.qos.logback:logback-core): 1.2.13

Direct dependency fix Resolution (ch.qos.logback:logback-classic): 1.2.13

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[ws-on-ws]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[ws-on-ws]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[ws-on-ws]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[ws-on-ws]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[ws-on-ws]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[ws-on-ws]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.