Re: [PR] Proofread CVE fix versions [logging-site]

Tue, 28 Jan 2025 03:40:28 -0800 


ppkarwasz commented on code in PR #6:
URL: https://github.com/apache/logging-site/pull/6#discussion_r1932009167


##########
_vulnerabilities.adoc:
##########
@@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai 
Technologies, Guy Lederfein
 |Summary |Thread Context Lookup is vulnerable to remote code execution in 
certain configurations
 |CVSS 3.x Score & Vector |9.0 CRITICAL 
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
 |Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` 
(for Java 8 and later)
+|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)`

Review Comment:
   The way I see it:
   
   - CVE-2021-44228 is about JNDI lookup injection through the `%m` pattern. It 
was fixed in `2.15.0`.
   - JNDI lookups could come from the recursive evaluation of `${ctx:…}` and 
that is why we issued CVE-2021-45046 (and CVE-2021-45105), which were fixed in 
`2.16.0`.
   
   These numbers agree with those reported to the NVD and IMHO correcting the 
order of evaluation of `%m` patterns and removing recursive evaluation of 
`${…}` lookups cuts off all sources of user data that could be fed to the JNDI 
lookup.
   
   In case we forgot some call paths that lead to the JNDI lookup, version 
`2.16.0`also prevents the instantiation of the lookup in `Interpolator` (its 
only caller):
   
   ```java
   final Class<? extends StrLookup> clazz = 
entry.getValue().getPluginClass().asSubclass(StrLookup.class);
   if (!clazz.getName().equals(JndiLookup.class.getName()) || 
JndiManager.isJndiEnabled()) {
       strLookupMap.put(entry.getKey().toLowerCase(), 
ReflectionUtil.instantiate(clazz));
   }
   ```
   
   (see [source 
code](https://github.com/apache/logging-log4j2/blob/cffe58f6a433ea1ab60ceb129d4c9b3377acda1d/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L80-L83))
   
   Version `2.17.0` 
(https://github.com/apache/logging-log4j2/commit/4a4b7530b1848e630a65d79e9c7dc388a5a7785b)
 only seems to double down this (possibly unnecessary) protection and throws 
exceptions from the constructor of the JNDI Lookup.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to