Bug 29771 - log4j12 new security issues CVE-2019-17571, CVE-2021-4104, and CVE-2022-2330[257]
Summary: log4j12 new security issues CVE-2019-17571, CVE-2021-4104, and CVE-2022-2330[...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker normal
Target Milestone: Mageia 9
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks: 30163
  Show dependency treegraph
 
Reported: 2021-12-16 19:14 CET by David Walser
Modified: 2023-06-06 16:03 CEST (History)
4 users (show)

See Also:
Source RPM: euclide-0.6.6-8.mga8.src.rpm, eclipse-cdt-9.11.1-1.mga8.src.rpm, vstar-2.18.0-3.mga8.src.rpm, davmail-5.5.1-1.mga8.src.rpm, jitsi-2.10.5550-10.mga8.src.rpm, geometria-3.2-0.r258.9.mga8.src.rpm
CVE:
Status comment: Several packages bundling potentially vulnerable log4j 1.2.x


Attachments

Description David Walser 2021-12-16 19:14:22 CET
Apache has issued an advisory on December 13:
https://www.openwall.com/lists/oss-security/2021/12/13/1

We no longer have a system version of log4j12 packaged, so it's bundled into davmail, eclipse-cdt, euclide, geometria, jitsi, and vstar in Mageia 8 and Cauldron (eclipse-cdt has been dropped in Cauldron):
https://ml.mageia.org/l/arc/qa-discuss/2021-12/msg00022.html

The CVE is only valid in a non-default configuration, so I don't know if any of these packages are actually affected in their usage of log4j 1.2.x.  There may be a fix available, though it's not clear how Red Hat addressed it in OpenShift Container Platform, and log4j 1.2.x is vulnerable to other CVEs, so really these packages just should not be continuing to use it:
https://bugzilla.redhat.com/show_bug.cgi?id=2031667

Furthermore, this kind of bundling is against our packaging policies, so we should do something about it if we can.
David Walser 2021-12-16 19:14:48 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Several packages bundling potentially vulnerable log4j 1.2.x

Comment 1 Lewis Smith 2021-12-16 20:37:09 CET
No reference to log4j12 as an independant pkg/srpm; the only indirect reference I could find for it was:
 $ urpmf log4j12
 davmail:/usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar
which agrees with DavidW, but his list is much more extensive:-

 euclide: nobody
 eclipse-cdt: [neoclust], various
 vstar: [joequant], nobody
 davmail: kekepower
 jitsi: daviddavid
 geometria: nobody

Assigning this globally (CC'ing those packagers with identifiable relevance);
but in the light of:
> log4j 1.2.x is vulnerable to other CVEs, so really these packages
> just should not be continuing to use it.
> this kind of bundling is against our packaging policies,
> so we should do something about it if we can
it looks good for discussion on the packager mailList.

CC: (none) => geiger.david68210, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-12-17 19:32:15 CET
openSUSE has issued an advisory for this today (December 17):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U355AEBE4AWYTPUPBMC3XAO6XBTWFRBL/
Comment 3 papoteur 2021-12-18 08:33:44 CET
jitsi embeds release 1.2.17 of the log4j.jar
https://github.com/jitsi/jitsi/tree/master/lib/bundle

For vstar, the jar is in 1.2.9 and comes from cobertura 1.9.3.
https://sourceforge.net/p/vstar/code/HEAD/tree/tags/DEV-AAVSO-02Sep2016/extlib/cobertura-1.9.3/lib/

CC: (none) => yves.brungard_mageia

Comment 5 sturmvogel 2021-12-18 14:34:27 CET
Euclide and geometria seems dead upstream (2014 and 2018 last activity). So they should be dropped completely in cauldron.
Comment 6 David Walser 2021-12-18 17:19:42 CET
It's hard to believe they aren't all dead if they're still using 1.2.x.

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

Comment 7 David Walser 2021-12-21 18:13:33 CET
RedHat has issued an advisory for this on December 20:
https://access.redhat.com/errata/RHSA-2021:5206

Fix applied was:
https://git.centos.org/rpms/log4j/c/33cff61a2fcde5901b8802b4a3184b906dc4b8fe?branch=c7
Comment 8 David Walser 2022-01-13 17:16:34 CET
Ubuntu has issued an advisory for this on January 12:
https://ubuntu.com/security/notices/USN-5223-1
Comment 9 David Walser 2022-01-18 15:58:51 CET
Apache has issued advisories today (January 18):
https://www.openwall.com/lists/oss-security/2022/01/18/3
https://www.openwall.com/lists/oss-security/2022/01/18/4
https://www.openwall.com/lists/oss-security/2022/01/18/5

The first two issues affect non-default configurations, but the third looks to be a more general issue.  Continued usage of Log4j 1.2.x appears to be unsafe.

Summary: log4j12 new security issue CVE-2021-4104 => log4j12 new security issues CVE-2021-4104 and CVE-2022-2330[257]

Comment 10 David Walser 2022-01-27 17:38:30 CET
SUSE has issued an advisory for the new CVEs on January 26:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/010085.html
Comment 11 David Walser 2022-02-01 18:00:19 CET
Debian-LTS has issued an advisory for this on January 31:
https://www.debian.org/lts/security/2022/dla-2905
Comment 12 David Walser 2022-02-07 18:49:18 CET
RedHat has issued an advisory for this today (February 7):
https://access.redhat.com/errata/RHSA-2022:0442
Comment 13 David Walser 2023-04-06 18:56:45 CEST
Ubuntu has issued an advisory for this on April 5:
https://ubuntu.com/security/notices/USN-5998-1

Any packages still bundling log4j 1.x should be dropped.

Summary: log4j12 new security issues CVE-2021-4104 and CVE-2022-2330[257] => log4j12 new security issues CVE-2019-17571, CVE-2021-4104, and CVE-2022-2330[257]
Blocks: (none) => 30163

Comment 14 Nicolas Lécureuil 2023-06-06 16:03:41 CEST
i removed davmail.

There is no log4j 1.2 package anymore

CC: (none) => mageia
Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.