Bug 29771

Summary: log4j12 new security issues CVE-2019-17571, CVE-2021-4104, and CVE-2022-2330[257]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: release_blocker CC: geiger.david68210, mageia, smelror, yvesbrungard
Version: Cauldron   
Target Milestone: Mageia 9   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: euclide-0.6.6-8.mga8.src.rpm, eclipse-cdt-9.11.1-1.mga8.src.rpm, vstar-2.18.0-3.mga8.src.rpm, davmail-5.5.1-1.mga8.src.rpm, jitsi-2.10.5550-10.mga8.src.rpm, geometria-3.2-0.r258.9.mga8.src.rpm CVE:
Status comment: Several packages bundling potentially vulnerable log4j 1.2.x
Bug Depends on:    
Bug Blocks: 30163    

Description David Walser 2021-12-16 19:14:22 CET 
Apache has issued an advisory on December 13:
https://www.openwall.com/lists/oss-security/2021/12/13/1

We no longer have a system version of log4j12 packaged, so it's bundled into davmail, eclipse-cdt, euclide, geometria, jitsi, and vstar in Mageia 8 and Cauldron (eclipse-cdt has been dropped in Cauldron):
https://ml.mageia.org/l/arc/qa-discuss/2021-12/msg00022.html

The CVE is only valid in a non-default configuration, so I don't know if any of these packages are actually affected in their usage of log4j 1.2.x.  There may be a fix available, though it's not clear how Red Hat addressed it in OpenShift Container Platform, and log4j 1.2.x is vulnerable to other CVEs, so really these packages just should not be continuing to use it:
https://bugzilla.redhat.com/show_bug.cgi?id=2031667

Furthermore, this kind of bundling is against our packaging policies, so we should do something about it if we can.
David Walser 2021-12-16 19:14:48 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Several packages bundling potentially vulnerable log4j 1.2.x

Comment 1 Lewis Smith 2021-12-16 20:37:09 CET 
No reference to log4j12 as an independant pkg/srpm; the only indirect reference I could find for it was:
 $ urpmf log4j12
 davmail:/usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar
which agrees with DavidW, but his list is much more extensive:-

 euclide: nobody
 eclipse-cdt: [neoclust], various
 vstar: [joequant], nobody
 davmail: kekepower
 jitsi: daviddavid
 geometria: nobody

Assigning this globally (CC'ing those packagers with identifiable relevance);
but in the light of:
> log4j 1.2.x is vulnerable to other CVEs, so really these packages
> just should not be continuing to use it.
> this kind of bundling is against our packaging policies,
> so we should do something about it if we can
it looks good for discussion on the packager mailList.

CC: (none) => geiger.david68210, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-12-17 19:32:15 CET 
openSUSE has issued an advisory for this today (December 17):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U355AEBE4AWYTPUPBMC3XAO6XBTWFRBL/
Comment 3 papoteur 2021-12-18 08:33:44 CET 
jitsi embeds release 1.2.17 of the log4j.jar
https://github.com/jitsi/jitsi/tree/master/lib/bundle

For vstar, the jar is in 1.2.9 and comes from cobertura 1.9.3.
https://sourceforge.net/p/vstar/code/HEAD/tree/tags/DEV-AAVSO-02Sep2016/extlib/cobertura-1.9.3/lib/

CC: (none) => yves.brungard_mageia

Comment 5 sturmvogel 2021-12-18 14:34:27 CET 
Euclide and geometria seems dead upstream (2014 and 2018 last activity). So they should be dropped completely in cauldron.
Comment 6 David Walser 2021-12-18 17:19:42 CET 
It's hard to believe they aren't all dead if they're still using 1.2.x.

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

Comment 7 David Walser 2021-12-21 18:13:33 CET 
RedHat has issued an advisory for this on December 20:
https://access.redhat.com/errata/RHSA-2021:5206

Fix applied was:
https://git.centos.org/rpms/log4j/c/33cff61a2fcde5901b8802b4a3184b906dc4b8fe?branch=c7
Comment 8 David Walser 2022-01-13 17:16:34 CET 
Ubuntu has issued an advisory for this on January 12:
https://ubuntu.com/security/notices/USN-5223-1
Comment 9 David Walser 2022-01-18 15:58:51 CET 
Apache has issued advisories today (January 18):
https://www.openwall.com/lists/oss-security/2022/01/18/3
https://www.openwall.com/lists/oss-security/2022/01/18/4
https://www.openwall.com/lists/oss-security/2022/01/18/5

The first two issues affect non-default configurations, but the third looks to be a more general issue.  Continued usage of Log4j 1.2.x appears to be unsafe.

Summary: log4j12 new security issue CVE-2021-4104 => log4j12 new security issues CVE-2021-4104 and CVE-2022-2330[257]

Comment 10 David Walser 2022-01-27 17:38:30 CET 
SUSE has issued an advisory for the new CVEs on January 26:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/010085.html
Comment 11 David Walser 2022-02-01 18:00:19 CET 
Debian-LTS has issued an advisory for this on January 31:
https://www.debian.org/lts/security/2022/dla-2905
Comment 12 David Walser 2022-02-07 18:49:18 CET 
RedHat has issued an advisory for this today (February 7):
https://access.redhat.com/errata/RHSA-2022:0442
Comment 13 David Walser 2023-04-06 18:56:45 CEST 
Ubuntu has issued an advisory for this on April 5:
https://ubuntu.com/security/notices/USN-5998-1

Any packages still bundling log4j 1.x should be dropped.

Summary: log4j12 new security issues CVE-2021-4104 and CVE-2022-2330[257] => log4j12 new security issues CVE-2019-17571, CVE-2021-4104, and CVE-2022-2330[257]
Blocks: (none) => 30163

Comment 14 Nicolas Lécureuil 2023-06-06 16:03:41 CEST 
i removed davmail.

There is no log4j 1.2 package anymore

CC: (none) => mageia
Status: NEW => RESOLVED
Resolution: (none) => FIXED