[SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Jan Matèrne (jhm)
CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
vulnerability

 

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:

  Apache Ant 1.9.0 - 1.9.9

  Apache Ant 1.10.0 - 1.10.1

  The unsupported Apache Ant 1.8 and lower versions are also affected.

Description:

  When using Apache Ants Log4jListener there could be a security issue with
the

  underlying Apache Log4j library in version 1.x.

  Please note that Log4j 1.x has reached its end of life and is no longer
maintained.

  For details about migrating away from Log4j 1.x please consult with the
Apache Log4j team.

Mitigation:

  Users should not use the Log4JListener or use the log4j2-bridge.

  (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)

Credit:

  This issue was discovered by Wade Schwarz of Oracle.

 

 

-Jan Matèrne

on behalf of the Apache Ant PMC

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Gintautas Grigelionis
The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
Log4j 1.x issue. Did I miss something?

Gintas

2018-02-07 8:11 GMT+01:00 Jan Matèrne (jhm) <[hidden email]>:

> CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
> vulnerability
>
>
>
> Severity: low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
>   Apache Ant 1.9.0 - 1.9.9
>
>   Apache Ant 1.10.0 - 1.10.1
>
>   The unsupported Apache Ant 1.8 and lower versions are also affected.
>
> Description:
>
>   When using Apache Ants Log4jListener there could be a security issue with
> the
>
>   underlying Apache Log4j library in version 1.x.
>
>   Please note that Log4j 1.x has reached its end of life and is no longer
> maintained.
>
>   For details about migrating away from Log4j 1.x please consult with the
> Apache Log4j team.
>
> Mitigation:
>
>   Users should not use the Log4JListener or use the log4j2-bridge.
>
>   (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
>
> Credit:
>
>   This issue was discovered by Wade Schwarz of Oracle.
>
>
>
>
>
> -Jan Matèrne
>
> on behalf of the Apache Ant PMC
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Stefan Bodewig
On 2018-02-07, Gintautas Grigelionis wrote:

> The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> Log4j 1.x issue. Did I miss something?

The subject is how it has been reported to us.

Prior to the latest releases you have not been able to use log4j2 so
there is no reason to talk about those versions. The recommended
mitigation of "don't use Log4JListener or use the log4j2-bridge" is
correct, one might add "of a log4j 2.x version that is not vulnerable to
the attack".

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Gintautas Grigelionis
Exactly, what I meant is that it's worth pointing out that not even all
versions of log4j 2.x are safe.

Gintas

2018-02-07 18:18 GMT+01:00 Stefan Bodewig <[hidden email]>:

> On 2018-02-07, Gintautas Grigelionis wrote:
>
> > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> > Log4j 1.x issue. Did I miss something?
>
> The subject is how it has been reported to us.
>
> Prior to the latest releases you have not been able to use log4j2 so
> there is no reason to talk about those versions. The recommended
> mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> correct, one might add "of a log4j 2.x version that is not vulnerable to
> the attack".
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Matt Sicker
Based on that version, this is related to using Java serialization for
logs. The general workaround here is to use a different format like JSON
instead to avoid the vulnerability entirely.

On 7 February 2018 at 12:03, Gintautas Grigelionis <[hidden email]>
wrote:

> Exactly, what I meant is that it's worth pointing out that not even all
> versions of log4j 2.x are safe.
>
> Gintas
>
> 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <[hidden email]>:
>
> > On 2018-02-07, Gintautas Grigelionis wrote:
> >
> > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> only
> > > Log4j 1.x issue. Did I miss something?
> >
> > The subject is how it has been reported to us.
> >
> > Prior to the latest releases you have not been able to use log4j2 so
> > there is no reason to talk about those versions. The recommended
> > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > correct, one might add "of a log4j 2.x version that is not vulnerable to
> > the attack".
> >
> > Stefan
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>



--
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Gintautas Grigelionis
Sorry, could you please clarify whether there different aspects pertaining
to 1.x and 2.x up to and after 2.8.2?

Thanks, Gintas

2018-02-07 19:10 GMT+01:00 Matt Sicker <[hidden email]>:

> Based on that version, this is related to using Java serialization for
> logs. The general workaround here is to use a different format like JSON
> instead to avoid the vulnerability entirely.
>
> On 7 February 2018 at 12:03, Gintautas Grigelionis <
> [hidden email]>
> wrote:
>
> > Exactly, what I meant is that it's worth pointing out that not even all
> > versions of log4j 2.x are safe.
> >
> > Gintas
> >
> > 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <[hidden email]>:
> >
> > > On 2018-02-07, Gintautas Grigelionis wrote:
> > >
> > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> > only
> > > > Log4j 1.x issue. Did I miss something?
> > >
> > > The subject is how it has been reported to us.
> > >
> > > Prior to the latest releases you have not been able to use log4j2 so
> > > there is no reason to talk about those versions. The recommended
> > > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > > correct, one might add "of a log4j 2.x version that is not vulnerable
> to
> > > the attack".
> > >
> > > Stefan
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >
> > >
> >
>
>
>
> --
> Matt Sicker <[hidden email]>
>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

Matt Sicker
After 2.8.2, there's a class whitelist used for deserializing data in the
receiver.

On 7 February 2018 at 12:19, Gintautas Grigelionis <[hidden email]>
wrote:

> Sorry, could you please clarify whether there different aspects pertaining
> to 1.x and 2.x up to and after 2.8.2?
>
> Thanks, Gintas
>
> 2018-02-07 19:10 GMT+01:00 Matt Sicker <[hidden email]>:
>
> > Based on that version, this is related to using Java serialization for
> > logs. The general workaround here is to use a different format like JSON
> > instead to avoid the vulnerability entirely.
> >
> > On 7 February 2018 at 12:03, Gintautas Grigelionis <
> > [hidden email]>
> > wrote:
> >
> > > Exactly, what I meant is that it's worth pointing out that not even all
> > > versions of log4j 2.x are safe.
> > >
> > > Gintas
> > >
> > > 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <[hidden email]>:
> > >
> > > > On 2018-02-07, Gintautas Grigelionis wrote:
> > > >
> > > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> > > only
> > > > > Log4j 1.x issue. Did I miss something?
> > > >
> > > > The subject is how it has been reported to us.
> > > >
> > > > Prior to the latest releases you have not been able to use log4j2 so
> > > > there is no reason to talk about those versions. The recommended
> > > > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > > > correct, one might add "of a log4j 2.x version that is not vulnerable
> > to
> > > > the attack".
> > > >
> > > > Stefan
> > > >
> > > > ------------------------------------------------------------
> ---------
> > > > To unsubscribe, e-mail: [hidden email]
> > > > For additional commands, e-mail: [hidden email]
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > Matt Sicker <[hidden email]>
> >
>



--
Matt Sicker <[hidden email]>