CVE-2021-44228 Advisory #24647
-
CVE-2021-44228 - GitHub Advisory DatabaseRemote code injection in Log4j The advisory says that both log4j-core and log4j-api are affected. According to NVD - CVE-2021-44228 the https://issues.apache.org/jira/browse/LOG4J2-3201?focusedCommentId=17456962&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17456962 I’m not sure where does the information about |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments
-
The advisory was updated with an explanation, but I’m not happy with the solution, too.
Our security scanners, like trivy, alerts us on EVERY Spring Boot project (over 100), because they depend on log4j-api, but NOT on log4j-core. Therefore they are not affected by this CVE. |
Beta Was this translation helpful? Give feedback.
-
Dependency version desync is not a valid reason for a package to be included as a security risk. Considering the impact this might have in automated CI/CD pipelines, where non-passing security tests usually do not pass quality gates and devs are therefore more likely to add an exception to security scanners (thus creating a real security risk), the |
Beta Was this translation helpful? Give feedback.
-
Hello it seems that all the fixed versions are not listed for the packages:
Same issue about another log4j vulnerability CVE-2021-45046:
How can we add them? |
Beta Was this translation helpful? Give feedback.
-
Any progress on removing the false positive for log4j-api from this advisory? |
Beta Was this translation helpful? Give feedback.
-
I took a look at NVD Details about CVE-2021-44228, and there are security releases 2.12.2, 2.12.3, and 2.3.1. But GitHub Security Advisory Database doesn’t exclude these versions: Remote code injection in Log4j · CVE-2021-44228 · GitHub Advisory Database · GitHub Is it possible to fix it? |
Beta Was this translation helpful? Give feedback.
-
advisory has been updated now 😄 |
Beta Was this translation helpful? Give feedback.
-
The update does not fix the issue since it does not take all Java versions into account. See Improper Input Validation and Injection in Apache Log4j2 · CVE-2021-44832 · GitHub Advisory Database · GitHub for an example. The same problem applies to Incomplete fix for Apache Log4j vulnerability · CVE-2021-45046 · GitHub Advisory Database · GitHub |
Beta Was this translation helpful? Give feedback.
advisory has been updated now 😄