Skip to content

Proofread CVE fix versions #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 17, 2025
Merged

Proofread CVE fix versions #6

merged 3 commits into from
Aug 17, 2025

Conversation

@ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented Jan 27, 2025
edited
Loading

This PR double checks which Log4j Core versions resolved which vulnerabilities.

Branch 2.3.x

GHSA-fxph-q3j8-mv87 / CVE-2017-5645 (server class) was never fixed, the TCP/UDP socket server is still there.

GHSA-vwqq-5vrc-xw9h / CVE-2020-9488 (host name validation) was fixed in 2.3.2:

GHSA-jfh8-c2jp-5v3q / CVE-2021-44228 (Log4Shell) was fixed in 2.3.1:

GHSA-7rjr-3q55-vv33 / CVE-2021-45046 (Log4Shell through recursive lookup evaluation) was fixed in 2.3.1:

GHSA-p6xc-xr62-6r2g / CVE-2021-45105 (DoS through recursive lookup evaluation) was fixed in 2.3.1:

GHSA-8489-44mv-ggj8 / CVE-2021-44832 (RCE if you have access to application classpath/configuration) was fixed in 2.3.1:

Branch 2.12.x

GHSA-vwqq-5vrc-xw9h / CVE-2020-9488 (host name validation) was fixed in 2.12.3:

GHSA-jfh8-c2jp-5v3q / CVE-2021-44228 (Log4Shell) was fixed in 2.12.2:

GHSA-7rjr-3q55-vv33 / CVE-2021-45046 (Log4Shell through recursive lookup evaluation) was fixed in 2.12.3:

GHSA-p6xc-xr62-6r2g / CVE-2021-45105 (DoS through recursive lookup evaluation) was fixed in 2.12.3:

GHSA-8489-44mv-ggj8 / CVE-2021-44832 (RCE if you have access to application classpath/configuration) was fixed in 2.12.3:

Note: Unless I am mistaken, version 2.12.4 didn't contain any security updates.

Main 2.x branch

GHSA-jfh8-c2jp-5v3q / CVE-2021-44228 (Log4Shell) was fixed in 2.15.0:

GHSA-7rjr-3q55-vv33 / CVE-2021-45046 (Log4Shell through recursive lookup evaluation) was fixed in 2.16.0:

GHSA-p6xc-xr62-6r2g / CVE-2021-45105 (DoS through recursive lookup evaluation) was fixed in 2.17.0:

GHSA-8489-44mv-ggj8 / CVE-2021-44832 (RCE if you have access to application classpath/configuration) was fixed in 2.17.0:

Note: Unless I am mistaken, version 2.17.1 didn't contain any security updates.

@ppkarwasz
Proofread CVE fix versions for 2.3.x branch
4109a96 
For the `2.3.x` branch:

**CVE-2017-5645** (server class) was never fixed, the TCP/UDP socket server is still there.

**CVE-2020-9488** (host name validation) was fixed in `2.3.2`:

- 3c62f0bea692456b1b5039d3bcc1c3e0ba65146a

**CVE-2021-44228** (Log4Shell) was fixed in `2.3.1`:

- be848dacbac6df30c4f32b2852e24446033ecf79
- f6564bb993d547d0a371b75d869042c334bf57f0

**CVE-2021-45046** (Log4Shell through recursive lookup evaluation) was fixed in `2.3.1`:

- f6564bb993d547d0a371b75d869042c334bf57f0

**CVE-2021-45105** (DoS through recursive lookup evaluation) was fixed in `2.3.1`:

- ce6b78d082aae89089cb3ad25cdd46e9ec70a70b

**CVE-2021-44832** (RCE if you have access to configuration) was fixed in `2.3.1`:

- f6564bb993d547d0a371b75d869042c334bf57f0
@ppkarwasz
Proofread CVE fix versions for 2.12.x branch
c61a7bc 
For the `2.12.x` branch:

**CVE-2020-9488** (host name validation) was fixed in `2.12.3`:

- 2bcba12b185200b7f3f2532cbfeff1e1da0d5c81
- bb94ea9fa921a61f90b6a934600567e719419ddd

**CVE-2021-44228** (Log4Shell) was fixed in `2.12.2`:

- 70edc233343815d5efa043b54294a6fb065aa1c5
- f819c83804152cb6ed94cb408302e36b21b65053

**CVE-2021-45046** (Log4Shell through recursive lookup evaluation) was fixed in `2.12.3`:

- bf8ba18f63ab9f9ffd54387c5c527ecc7a681037

**CVE-2021-45105** (DoS through recursive lookup evaluation) was fixed in `2.12.3`:

- bf7e916df6335713fe2219c7b3b523fb509deabc

**CVE-2021-44832** (RCE if you have access to configuration) was fixed in `2.12.3`:

- bf8ba18f63ab9f9ffd54387c5c527ecc7a681037

**Note**: Unless I am mistaken, version `2.12.4` didn't contain any security updates.
@ppkarwasz
Proofread CVE fix versions for 2.x branch
34745cb 
For the `2.x` branch:

**CVE-2021-44228** (Log4Shell) was fixed in `2.15.0`:

- c77b3cb39312b83b053d23a2158b99ac7de44dd3
- 001aaada7dab82c3c09cde5f8e14245dc9d8b454

**CVE-2021-45046** (Log4Shell through recursive lookup evaluation) was fixed in `2.16.0`:

- c362aff473e9812798ff8f25f30a2619996605d5
- 27972043b76c9645476f561c5adc483dec6d3f5d

**CVE-2021-45105** (DoS through recursive lookup evaluation) was fixed in `2.12.3`:

- 806023265f8c905b2dd1d81fd2458f64b2ea0b5e

**CVE-2021-44832** (RCE if you have access to configuration) was fixed in `2.12.3`:

- 95b24f77e77e4f1e5cc794df5332643e944fd6f8

**Note**: Unless I am mistaken, version `2.17.1` didn't contain any security updates.
@ppkarwasz ppkarwasz requested a review from vy January 27, 2025 12:39
ppkarwasz added a commit that referenced this pull request Jan 27, 2025
@ppkarwasz
Update fix versions in vdr.xml
d6c04bc 
See #6 for references to the commits that implement the fixes.
@ppkarwasz ppkarwasz mentioned this pull request Jan 27, 2025
Merged
vy
vy reviewed Jan 28, 2025
View reviewed changes
@rgoers
Copy link
Member

rgoers commented Mar 14, 2025

First, I think you should link to https://musigma.blog/2023/11/10/log4shell-history.html. While Matt's page says Log4Shell was fixed in 2.16.0 my recollection was that 2.17.0 was the only release I would recommend. I believe that was the release where Carter finally resolved the problems with recursive lookups.

FWIW - 44228 was NOT just about JNDI. It was the combination of the JNDI bug with the recursive lookup on message data that caused Log4Shell. While both were bad, either on their own would not have been anywhere near as serious.

@ppkarwasz
Copy link
Contributor Author

ppkarwasz commented Mar 14, 2025

First, I think you should link to https://musigma.blog/2023/11/10/log4shell-history.html. While Matt's page says Log4Shell was fixed in 2.16.0 my recollection was that 2.17.0 was the only release I would recommend. I believe that was the release where Carter finally resolved the problems with recursive lookups.

The main change in this PR is the statement that 2.17.0 did not contain the CVE-2021-44832 vulnerability (i.e. remote code execution by modification of the configuration of a JDBC appender). The NVD entry states "This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", but this is incorrect, since the limitation was introduced in 2.17.0:

apache/logging-log4j2@f6564bb

Note:

I wouldn't recommend 2.17.0 either, since:

  • It is not the latest patch release of the 2.17.x branch. Version 2.17.2 IMHO should have been a MINOR release, but let us keep it simple: you should always upgrade to the last patch release of the minor release you use, without questioning. If suddenly maintainers decide to release patches to an old minor version (as it happened 2.3.x or 2.12.x) there must be a reason.
  • It is not maintained any more. Sure, users that only use documented properties and features, should be able to upgrade to 2.24.3 without any problems, but somehow problems always appear on such big upgrades.

@ppkarwasz ppkarwasz merged commit ed177e2 into main Aug 17, 2025
@vy vy deleted the doc/vulnerabilities branch August 18, 2025 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jvz jvz jvz left review comments

@vy vy vy approved these changes

+1 more reviewer

@raboof raboof raboof left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ppkarwasz @rgoers @vy @raboof @jvz