Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-2796

CVEs in the execution path imported by dependencies

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Closed
    • Major
    • Resolution: Invalid
    • None
    • None
    • None
    • None

    Description

      Hello, Your project are using some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project. To prevent potential security risks it may cause, I suggest to update the library dependency. Please look into the details below.

      • Vulnerable Dependency: org.slf4j : slf4j-ext : 1.7.25
      • Call Chain to Buggy Methods:
        • Some files in your project call the library method org.slf4j.ext.EventData.getMessage(), which can reach the buggy method of CVE-2018-8088.
          • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
          • One of the possible call chain:
            org.slf4j.ext.EventData.getMessage() [buggy method]
        • Some files in your project call the library method org.slf4j.ext.EventData.getEventMap(), which can reach the buggy method of CVE-2018-8088.
          • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
          • One of the possible call chain:
            org.slf4j.ext.EventData.getEventMap() [buggy method]
        • Some files in your project call the library method org.slf4j.ext.EventData.getEventType(), which can reach the buggy method of CVE-2018-8088.
          • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
          • One of the possible call chain:
            org.slf4j.ext.EventData.getEventType() [buggy method]
        • Some files in your project call the library method org.slf4j.ext.EventData.getEventId(), which can reach the buggy method of CVE-2018-8088.
          • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
          • One of the possible call chain:
            org.slf4j.ext.EventData.getEventId() [buggy method]
        • Update suggestion: version 1.8.0-beta2 1.8.0-beta2 is a safe version without CVEs. From 1.7.25 to 1.8.0-beta2, the APIs used in your project have not changed.

      Attachments

        Issue Links

        is duplicated by

        Bug - A problem which impairs or prevents the functions of the product. LOG4J2-2329 Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088

        • Major - Major loss of function.
        • Open

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            XuCY XuCongying
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment