sonatype-lift[bot] commented on a change in pull request #1802:
URL: https://github.com/apache/zookeeper/pull/1802#discussion_r824757853
##########
File path: zookeeper-assembly/pom.xml
##########
@@ -64,6 +64,14 @@
<artifactId>zookeeper</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/org.slf4j/[email protected]
2 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found
across 1 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/log4j/[email protected]</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (2)</b></summary><br/>
<ul>
<details>
<summary>CVE-2019-17571</summary>
> #### [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that
is vulnerable to deserializat...
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely execute
arbitrary code when combined with a deserialization gadget when listening to
untrusted network traffic for log data. This affects Log4j versions up to 1.2
up to 1.2.17.
>
> **CVSS Score:** 9.8
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
</details>
<details>
<summary>CVE-2021-4104</summary>
> #### [CVE-2021-4104] JMSAppender in Log4j 1.2 is vulnerable to
deserialization of untrusted data when...
> JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted
data when the attacker has write access to the Log4j configuration. The
attacker can provide TopicBindingName and TopicConnectionFactoryBindingName
configurations causing JMSAppender to perform JNDI requests that result in
remote code execution in a similar fashion to CVE-2021-44228. Note this issue
only affects Log4j 1.2 when specifically configured to use JMSAppender, which
is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users
should upgrade to Log4j 2 as it addresses numerous other issues from the
previous versions.
===================================================
The following information is provided by Sonatype Nexus Intelligence. Nexus
Intelligence is the only security research service that performs
"secondary expansion" to determine if newly discovered
vulnerabilities are also present in other components.
Learn more about Nexus Intelligence --
https://www.sonatype.com/products/intelligence
===================================================
Explanation
---------------------------------------------------
The `log4j:log4j` package is vulnerable to Deserialization of Untrusted
Data. The `lookup()` and `activateOptions()` methods in the `JMSAppender` class
allow `JNDI` lookup requests to be made when the `TopicBindingName` and
`TopicConnectionFactoryBindingName` specify a trusted host. Lookups made to
this host may be used by attackers to request a serialized malicious Java
Object that can be deserialized and executed, leading to Remote Code Execution
(RCE).
Note that this vulnerability is different from CVE-2021-44228 and requires
the attacker to be in control of the third party host that is specified in the
configuration, or write access to the Log4j configuration file in order to
specify a malicious lookup host directly. This vulnerability also only affects
the 1.x.x component of `Log4j` released under the `log4j:log4j` group and
artifact IDs.
*Advisory Deviation Notice:* The Sonatype security research team discovered
that the root cause of the vulnerability is in all versions of log4j:log4j, not
just in the 1.2.x branch as the advisory states.
Detection
---------------------------------------------------
The application is vulnerable by using this component under the following
circumstances:
- The configuration file specifies an allowed third-party `JNDI` lookup host
for the `JMSAppender`
- the `javax.jms.*` API is included in the application's `CLASSPATH`
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2031667#c28
Recommendation
---------------------------------------------------
The 1.x.x component has reach `End of Life`, and users should upgrade to a
non-vulnerable version of `org.apache.logging.log4j:log4j-core` as this
component includes other security vulnerabilities that are not fixed.
References:
- https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- https://logging.apache.org/log4j/1.2/
>
> **CVSS Score:** 8.1
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
</details>
</ul>
</details>
<details>
<summary><b>MODERATE Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-9488] Improper validation of certificate with host mismatch
in Apache Log4j SMTP appen...
> Improper validation of certificate with host mismatch in Apache Log4j SMTP
appender. This could allow an SMTPS connection to be intercepted by a
man-in-the-middle attack which could leak any log messages sent through that
appender.
>
> **CVSS Score:** 3.7
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with
`help` or `ignore`)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
