This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Log4j Vulnerability (CVE-2021-44228) in Maven plugins

Posted on 12-13-2021 08:03 AM
danielpuiu
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

 

While investigating if the Maven plugins we use for configuring and deploying Apigee (https://github.com/apigee/apigee-config-maven-plugin and  https://github.com/apigee/apigee-deploy-maven-plugin) are impacted by the CVE-2021-44228 Log4j vulnerability (https://www.lunasec.io/docs/blog/log4j-zero-day/) we found out that they are not affected (the affected versions are >=2.0-beta9 and <=2.14.1).

However, the problem is that these plugins use version 1.2.17 which is End of Life (it is not maintained anymore) and has other security vulnerabilities that will not be fixed anymore.

 

Can these plugins be updated to reference the latest version of Log4j (2.15.0)?

 

Thank you in advance!

0 7 3,435
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

@danielpuiu - Thanks for this. I checked the versions. We are not using "org.apache.logging.log4j:log4j" libraries. We are using 

 

 

<dependency>
  <groupId>org.slf4j</groupId>
  <artifactId>slf4j-log4j12</artifactId>
  <version>1.6.6</version>
</dependency>

 

 

which does not have any dependency (directly or indirectly to org/apache/logging/log4j/core/lookup/JndiLookup.class). So I think we should be good for now.

However - I plan to work on upgrading the log4j version (either use latest jars or use Flogger). Will update here once thats out

0 Likes

Posted on --/--/---- --:-- AM
danielpuiu
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thank you very much, @ssvaidyanathan! I've seen you already updated the apigee-config-maven-plugin.

Are you going to also apply the same update in the apigee-deploy-maven-plugin?

0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

@danielpuiu 

Released a new version of Maven plugins (with latest Apache Log4J libraries v2.16.0)
- Apigee Maven Config Plugin v1.5.0 (For Apigee Edge/OPDK)
- Apigee Maven Config Plugin v2.2.0 (For Apigee X/Hybrid)
- Apigee Maven Deploy Plugin v1.3.0 (For Apigee Edge/OPDK)
- Apigee Maven Deploy Plugin v2.2.0 (For Apigee X/Hybrid)

Posted on --/--/---- --:-- AM
danielpuiu
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thank you @ssvaidyanathan.

I've seen that in the meantime you have updated the libraries to reference Log4j 2.17.0. Are you planning to release the new version in the next period?

Thank you,

Daniel

0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to danielpuiu
Reply posted on --/--/---- --:-- AM

Yes - I will be releasing before the holidays 🙂

0 Likes

Posted on --/--/---- --:-- AM
danielpuiu
Bronze 3
Bronze 3
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

Thank you @ssvaidyanathan. It seems that the log4j focus is not over yet and there was another vulnerability published in log4j related to Remote Code Execution under https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832. Even though, this is not as critical as the first time, it is recommended to upgrade to Log4j 2.17.1 for Java 8+.

Could you please do one more update?

Thank you,

Daniel

0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to danielpuiu
Reply posted on --/--/---- --:-- AM

Patched a new version of Maven plugins (with latest Apache Log4J libraries v2.17.1)
- Apigee Maven Config Plugin v1.5.2 (For Apigee Edge/OPDK)
- Apigee Maven Config Plugin v2.2.2 (For Apigee X/Hybrid)
- Apigee Maven Deploy Plugin v1.3.2 (For Apigee Edge/OPDK)
- Apigee Maven Deploy Plugin v2.2.2 (For Apigee X/Hybrid)