Re: [PR] Proofread CVE fix versions [logging-site]

Tue, 28 Jan 2025 03:47:18 -0800 


ppkarwasz commented on code in PR #6:
URL: https://github.com/apache/logging-site/pull/6#discussion_r1932009167


##########
_vulnerabilities.adoc:
##########
@@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai 
Technologies, Guy Lederfein
 |Summary |Thread Context Lookup is vulnerable to remote code execution in 
certain configurations
 |CVSS 3.x Score & Vector |9.0 CRITICAL 
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
 |Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` 
(for Java 8 and later)
+|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)`

Review Comment:
   The way I see it:
   
   - CVE-2021-44228 is about JNDI lookup injection through the `%m` pattern. It 
was fixed in `2.15.0`.
   - JNDI lookups could come from the recursive evaluation of `${ctx:…}` and 
that is why we issued CVE-2021-45046 and disabled the instantiation of the JNDI 
lookup in `2.16.0`.
   - Of course other lookups are also a problem, so we issued CVE-2021-45105 
and disabled recursive evaluation of lookups in `2.17.0`.
   
   These numbers agree with those reported to the NVD and IMHO correcting the 
order of evaluation of `%m` patterns and disabling `${jndi:…}` lookups cuts off 
all ways to use the JNDI lookup. Version `2.16.0`prevents the instantiation of 
the lookup in `Interpolator` (its only caller):
   
   ```java
   final Class<? extends StrLookup> clazz = 
entry.getValue().getPluginClass().asSubclass(StrLookup.class);
   if (!clazz.getName().equals(JndiLookup.class.getName()) || 
JndiManager.isJndiEnabled()) {
       strLookupMap.put(entry.getKey().toLowerCase(), 
ReflectionUtil.instantiate(clazz));
   }
   ```
   
   (see [source 
code](https://github.com/apache/logging-log4j2/blob/cffe58f6a433ea1ab60ceb129d4c9b3377acda1d/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L80-L83))
   
   
https://github.com/apache/logging-log4j2/commit/4a4b7530b1848e630a65d79e9c7dc388a5a7785b
 only seems to double down this protection and throws exceptions from the 
constructor of the JNDI Lookup.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to