• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to figure out which programs use log4j?

 
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In my SpringBoot application, I have several log4j libraries which I'm assuming could be called independently (outside the app) by some malicious program.

As one example, commons logging appears to use an old log4j. Yet, checking Maven, I don't see any update.

There is also a log4j2, version 2.1.14 in the project jar files, but it's unclear what dependency, is using it.

What a mess!

Suggestions on how to track down vulnerable libraries in jar files within a war file and how to know if they're a problem or not?

Thanks!

- mike
logging.png
logging jar files found in SpringBoot 2.6.1 project
logging jar files found in SpringBoot 2.6.1 project
 
Marshal
Posts: 8857
637
Mac OS X VI Editor BSD Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm assuming you are using CE (community edition) version. Try to download the plugin called "Maven Helper", by clicking:
InteliJ IDEA --> Preferences --> Plugins --> Type: Maven Helper --> Install... and then restart IDE.

Then at the bottom of the IDE, you should see Dependency Analyser, where you could see them as a list or tree, that includes search and filter functionalities - see if that helps you.
 
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Or
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are some tools that will analyze your apps looking for vulnerable Log4J libraries. I'll have to throw you to the mercy of an Internet search to find them, though, since I didn't note where they were.

Only org.log4j modules are vulnerable. Stuff that hooks into log4j is only vulnerable to the extent that it sends stuff to the org.log4j logger.

No, I don't think that you can attack an app without assaulting a running version of the app directly. The exploit works by injecting bad data into log4j message formatting processes. Meaning that log4j has to be in live code to be attached.
 
Mike London
Bartender
Posts: 1971
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:There are some tools that will analyze your apps looking for vulnerable Log4J libraries. I'll have to throw you to the mercy of an Internet search to find them, though, since I didn't note where they were.

Only org.log4j modules are vulnerable. Stuff that hooks into log4j is only vulnerable to the extent that it sends stuff to the org.log4j logger.

No, I don't think that you can attack an app without assaulting a running version of the app directly. The exploit works by injecting bad data into log4j message formatting processes. Meaning that log4j has to be in live code to be attached.



Thanks Tim!
 
Tim Cooke
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Assuming you're using maven, the following will fail your build if any of your dependencies have vulnerabilities.
https://owasp.org/www-project-dependency-check/
We have the following in our project pom
 
Tim Cooke
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That failed the build for us this morning because of a vulnerability in Logback
https://nvd.nist.gov/vuln/detail/CVE-2021-42550

nvd.nist.gov wrote:In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

 
Liutauras Vilda
Marshal
Posts: 8857
637
Mac OS X VI Editor BSD Java
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Cooke wrote:That failed the build for us this morning


Non concrete question, but how often do you find that builds fail or more concrete - fail with false positives, so you need to add them to suppression list? Never used this plugin, but looks worth integrating with.
 
Tim Cooke
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Likes 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not about false positives, rather a decision to not address a particular CVE. For example, our exclusion list is this
 
Time flies like an arrow. Fruit flies like a banana. Steve flies like a tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic