CVE-2021-44228 Advisory

[mih-kopylov]

  <a href="https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" target="_blank" rel="noopener nofollow ugc">GitHub</a>

CVE-2021-44228 - GitHub Advisory Database

Remote code injection in Log4j

The advisory says that both log4j-core and log4j-api are affected.

According to NVD - CVE-2021-44228 the log4j-api isn’t affected, it’s only log4j-core that is.

https://issues.apache.org/jira/browse/LOG4J2-3201?focusedCommentId=17456962&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17456962
The log4j devs confirm that.

I’m not sure where does the information about log4j-api comes to database, could it be verified?

[murphy85]

The advisory was updated with an explanation, but I’m not happy with the solution, too.

Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api package is included on this advisory to prevent version desync which may occur as a result of dependabot actions.

Our security scanners, like trivy, alerts us on EVERY Spring Boot project (over 100), because they depend on log4j-api, but NOT on log4j-core. Therefore they are not affected by this CVE.

[SebastiaandenBoer]

Dependency version desync is not a valid reason for a package to be included as a security risk.

Considering the impact this might have in automated CI/CD pipelines, where non-passing security tests usually do not pass quality gates and devs are therefore more likely to add an exception to security scanners (thus creating a real security risk), the log4j-api dependency should be removed from the vuln database asap.

[clamoriniere]

Hello

it seems that all the fixed versions are not listed for the packages: log4j-core log4j-api

• 2.12.2 log4j version should be listed with “2.15.0” as “Fixed version” for CVE-2021-44228

Same issue about another log4j vulnerability CVE-2021-45046:

• 2.12.2 log4j version should be listed with “2.16.0” as “Fixed version” for CVE-2021-45046

How can we add them?

[MikeMoore63]

Any progress on removing the false positive for log4j-api from this advisory?

[afdesk]

I took a look at NVD Details about CVE-2021-44228, and there are security releases 2.12.2, 2.12.3, and 2.3.1.

But GitHub Security Advisory Database doesn’t exclude these versions: Remote code injection in Log4j · CVE-2021-44228 · GitHub Advisory Database · GitHub

Is it possible to fix it?
thanks a lot!

[mrjonstrong]

advisory has been updated now 😄

[jcburgoon]

The update does not fix the issue since it does not take all Java versions into account. See Improper Input Validation and Injection in Apache Log4j2 · CVE-2021-44832 · GitHub Advisory Database · GitHub for an example.

The same problem applies to Incomplete fix for Apache Log4j vulnerability · CVE-2021-45046 · GitHub Advisory Database · GitHub