logpresso identifies CVE-2021-4104 in reload4j #271
Comments
|
@fipro78 It's most likely a false positive of scanner. I will investigate it. |
|
@fipro78 v2.9.2 release will detect vulnerabilities from old version of reload4j like this: Scanner will not detect vulnerability for reload4j 1.2.18.3 or above version. |
|
@xeraph thanks for fixing this. I tested it and it works as intended for the artefacts from Maven Central. Eclipse is re-bundling the artefact from Maven to add jar signing. The content otherwise is the same. But logpresso identifies the CVE again, because the pom.properties file is located in another folder structure, which is caused by the re-bundling: _META-INF\maven\org.eclipse.orbit.bundles\org.apache.log4j_ The re-bundled artefact is available in the integration build of Eclipse Orbit: https://download.eclipse.org/tools/orbit/downloads/drops/I20220210065320/ The name of the artefact changed to org.apache.log4j_1.2.19. Would it be possible to add the handling for the re-bundled version also? |
|
@fipro78 Would you test v3.0.1 release? It will detect also re-bundled reload4j version. |
|
@xeraph I downloaded the latest reload4j jars (Maven Central and re-bundled Eclipse Orbit) and the latest logpresso 3.0.1 for Windows. It now works as expected, the vulnerabilities are not detected anymore. Thanks for the fast reaction! |
|
@fipro78 Thank you for test report! :D |
reload4j is a drop-in replacement intended to fix the latest security issues.
https://reload4j.qos.ch/
They have fixed CVE-2021-4104 by hardening, not by removing the class. logpresso does anyhow report the CVE-2021-4104 vulnerability.
I have created a ticket in the reload4j repository:
qos-ch/reload4j#36
The question is, how is the check in logpresso for CVE-2021-4104 implemented and is the CVE really still present or fixed by hardening? Would be great to have a consistent view on this to avoid confusions by adopters.
The text was updated successfully, but these errors were encountered: