You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by John Patrick <nh...@gmail.com> on 2022/03/01 21:08:42 UTC
Re: Maven Dependency Plugin - Log4j vulnerabilities
You might need to raise a bug with your security scanner regarding false
positives.
So your dependency tree I only see log4j 2.17.1; i.e.
Your Pom
- org.springframework.boot:spring-boot-starter-web:2.6.4
-- org.springframework.boot:spring-boot-starter-web:2.6.4
--- org.springframework.boot:spring-boot-starter:2.6.4
---- org.springframework.boot:spring-boot-starter-logging:2.6.4
----- org.apache.logging.log4j:log4j-to-slf4j:2.17.1
------ org.apache.logging.log4j:log4j-api:2.17.1
Doing a build "mvn clean install -Dmaven.repo.local=repo"
Then "find repo -name "*log4j*" -type f", only returns;
repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom.sha1
repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom
repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar.sha1
repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom
repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom.sha1
repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar
repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar.sha1
repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom
repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom.sha1
repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom.sha1
repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom
repo/log4j/log4j/1.2.12/log4j-1.2.12.pom
repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
What version does the scanner say its found?
John
On Mon, 28 Feb 2022 at 23:15, Juraj Veverka
<ju...@globallogic.com.invalid> wrote:
> Hi David
>
> Just for clarification: we are not relying on the maven dependency plugin
> at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
> The problem is that our security scanners are scanning gitlab runner nodes
> (virtual machines on which we compile and package our application) and
> log4j vulnerability is found there.
>
> Kind regards
> Juraj Veverka
>
> On Mon, Feb 28, 2022 at 1:32 PM Juraj Veverka <
> juraj.veverka@globallogic.com>
> wrote:
>
> > Hi David
> >
> > Many thanks for your email, I really appreciate your reply. This is an
> > isolated example of the problem.
> > https://github.com/jveverka/mvn-dependency-log4j
> > You can find all repro steps there. In case of any questions, feel free
> > to contact me.
> >
> > Kind regards
> > Juraj Veverka
> >
> >
> >
> > On Mon, Feb 28, 2022 at 12:14 PM David Milet <da...@gmail.com>
> > wrote:
> >
> >> Where I work we decided to address log4j vulnerabilities only for
> >> components directly used by the application and actually performing
> logging.
> >> We ignored transitive dependencies and maven plug-ins.
> >> I’m curious about this use case from Venu though, what application would
> >> rely on the maven dependency plugin at runtime? Does it mean you’re
> pulling
> >> maven dependencies after application startup?
> >>
> >> > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <
> s.jaranowski@gmail.com>
> >> wrote:
> >> >
> >> > Hi,
> >> >
> >> > Please provide more information, like plugin, mven, os version.
> >> >
> >> > We also need an example project which reproduces your issue.
> >> > When we can't reproduce we can't help.
> >> >
> >> > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
> >> > <ja...@verizon.com.invalid> napisał(a):
> >> >
> >> >> Hi team,
> >> >>
> >> >> Can I expect any response? Is this the right email address for my
> >> >> question?
> >> >>
> >> >> Thanks,
> >> >> Venu
> >> >>
> >> >>
> >> >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav <
> >> >>> jaladi.venumadhav@verizon.com> wrote:
> >> >>>
> >> >>> Hi team,
> >> >>>
> >> >>> We are using the Maven Dependency Plugin in one of our projects and
> >> our
> >> >>> scanning tools are showing multiple vulnerabilities related to Log4j
> >> >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305,
> >> >>> CVE-2022-23307 and CVE-2021-4104).
> >> >>>
> >> >>> We would like to know if there are any plans to release a newer
> >> version
> >> >>> of Maven Dependency Plugin with the fixes of these
> >> >>> vulnerabilities(referring to the latest version of Log4j libraries).
> >> If
> >> >>> so, is there any planned date for this release?
> >> >>>
> >> >>> Please let us know any any more information is required.
> >> >>>
> >> >>> Thanks,
> >> >>> Venu
> >> >>>
> >> >>
> >> >
> >> >
> >> > --
> >> > Sławomir Jaranowski
> >>
> >>
> >
> > --
> >
> > Best Regards
> >
> >
> > --
> >
> > Juraj Veverka <https://github.com/jveverka> | Solution Design Architect
> >
> > M +421 917 521 285
> >
> > www.globallogic.sk <https://www.globallogic.com/sk/>
> >
> > <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter]
> > <https://twitter.com/GlobalLogic_SR>
> > <https://www.linkedin.com/company/9409064/admin/>
> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg>
> > <https://www.instagram.com/globallogic_slovakia/>
> >
> > http://www.globallogic.com/Disclaimer.htm
> >
> >
> >
>
> --
>
> Best Regards
>
>
> --
>
> Juraj Veverka <https://github.com/jveverka> | Solution Design Architect
>
> M +421 917 521 285
>
> www.globallogic.sk <https://www.globallogic.com/sk/>
>
> <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter]
> <https://twitter.com/GlobalLogic_SR>
> <https://www.linkedin.com/company/9409064/admin/>
> <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg>
> <https://www.instagram.com/globallogic_slovakia/>
>
> http://www.globallogic.com/Disclaimer.htm
>
Re: Maven Dependency Plugin - Log4j vulnerabilities
Posted by Piotr Żygieło <pi...@gmail.com>.
On Thu, 3 Mar 2022 at 07:27, Jaladi, Venumadhav
>
> Below I am pasting some of the information on the 3 vulnerabilities from
> our report.
It's hard to talk about that report, for (said at least twice) linked
reproducer does not demonstrate to actually download vulnerable
log4j:1.2.12 jar.
--
Piotrek
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Dependency Plugin - Log4j vulnerabilities
Posted by "Jaladi, Venumadhav" <ja...@verizon.com.INVALID>.
Hi,
Below I am pasting some of the information on the 3 vulnerabilities from
our report. FYI, I removed the information about the server details and
also trimmed the file path. This report is generated by the Tenable agent.
Severity scandate Vuln Name Description Summary Fix CVE ID CVS Base
Score Plugin
Output
Critical 3/02/2022 Apache Log4j Unsupported Version Detection According to
its self-reported version number, the installation of Apache Log4j on the
remote host is no longer supported. Log4j reached its end of life prior to
2016.
Lack of support implies that no new security patches for the product will
be released by the vendor. As a result, it is likely to contain security
vulnerabilities. A logging library running on the remote host is no longer
supported. Upgrade to a version of Apache Log4j that is currently supported.
Upgrading to the latest versions for Apache Log4j is highly recommended as
intermediate versions / patches have known high severity vulnerabilities
and the vendor is updating their advisories often as new research and
knowledge about the impact of Log4j is discovered. Refer to
https://logging.apache.org/log4j/2.x/security.html for the latest versions.
10 Path :
.../.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Installed version : 1.2.12
Critical 3/02/2022 Apache Log4j 1.x Multiple Vulnerabilities According to
its self-reported version number, the installation of Apache Log4j on the
remote host is 1.x and is no longer supported. Log4j reached its end of
life prior to 2016. Additionally, Log4j 1.x is affected by multiple
vulnerabilities, including :
- Log4j includes a SocketServer that accepts serialized log events and
deserializes them without verifying whether the objects are allowed or
not. This can provide an attack vector that can be exploited.
(CVE-2019-17571)
- Improper validation of certificate with host mismatch in Apache Log4j
SMTP appender. This could allow an SMTPS connection to be intercepted
by a man-in-the-middle attack which could leak any log messages sent
through that appender. (CVE-2020-9488)
- JMSSink uses JNDI in an unprotected manner allowing any application
using the JMSSink to be vulnerable if it is configured to reference an
untrusted site or if the site referenced can be accesseed by the attacker.
(CVE-2022-23302)
Lack of support implies that no new security patches for the product will
be released by the vendor. As a result, it is likely to contain security
vulnerabilities. A logging library running on the remote host has multiple
vulnerabilities. Upgrade to a version of Apache Log4j that is currently
supported.
Upgrading to the latest versions for Apache Log4j is highly recommended as
intermediate versions / patches have known high severity vulnerabilities
and the vendor is updating their advisories often as new research and
knowledge about the impact of Log4j is discovered. Refer to
https://logging.apache.org/log4j/2.x/security.html for the latest
versions. CVE-2019-17571,
CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 10 Path
: .../.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Installed version : 1.2.12
High 3/02/2022 Apache Log4j 1.2 JMSAppender Remote Code Execution
(CVE-2021-4104) The version of Apache Log4j on the remote host is 1.2. It
is, therefore, affected by a remote code execution vulnerability when
specifically configured to use JMSAppender.
Note that Nessus has not tested for these issues but has instead relied
only on the application's self-reported version number. A package installed
on the remote host is affected by a remote code execution
vulnerability. Upgrade
to Apache Log4j version 2.16.0 or later since 1.x is end of life.
Upgrading to the latest versions for Apache Log4j is highly recommended as
intermediate versions / patches have known high severity vulnerabilities
and the vendor is updating their advisories often as new research and
knowledge about the impact of Log4j is discovered. Refer to
https://logging.apache.org/log4j/2.x/security.html for the latest versions.
CVE-2021-4104 6 Path :
.../.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Installed version : 1.2.12
Fixed version : 2.16.0
Thanks,
Venu
On Tue, Mar 1, 2022 at 3:09 PM John Patrick <nh...@gmail.com> wrote:
> You might need to raise a bug with your security scanner regarding false
> positives.
>
> So your dependency tree I only see log4j 2.17.1; i.e.
>
> Your Pom
> - org.springframework.boot:spring-boot-starter-web:2.6.4
> -- org.springframework.boot:spring-boot-starter-web:2.6.4
> --- org.springframework.boot:spring-boot-starter:2.6.4
> ---- org.springframework.boot:spring-boot-starter-logging:2.6.4
> ----- org.apache.logging.log4j:log4j-to-slf4j:2.17.1
> ------ org.apache.logging.log4j:log4j-api:2.17.1
>
> Doing a build "mvn clean install -Dmaven.repo.local=repo"
> Then "find repo -name "*log4j*" -type f", only returns;
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom.sha1
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar.sha1
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom.sha1
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar.sha1
> repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom
> repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom.sha1
> repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom.sha1
> repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom
> repo/log4j/log4j/1.2.12/log4j-1.2.12.pom
> repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
>
> What version does the scanner say its found?
>
> John
>
>
> On Mon, 28 Feb 2022 at 23:15, Juraj Veverka
> <ju...@globallogic.com.invalid> wrote:
>
>> Hi David
>>
>> Just for clarification: we are not relying on the maven dependency plugin
>> at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
>> The problem is that our security scanners are scanning gitlab runner nodes
>> (virtual machines on which we compile and package our application) and
>> log4j vulnerability is found there.
>>
>> Kind regards
>> Juraj Veverka
>>
>> On Mon, Feb 28, 2022 at 1:32 PM Juraj Veverka <
>> juraj.veverka@globallogic.com>
>> wrote:
>>
>> > Hi David
>> >
>> > Many thanks for your email, I really appreciate your reply. This is an
>> > isolated example of the problem.
>> > https://github.com/jveverka/mvn-dependency-log4j
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jveverka_mvn-2Ddependency-2Dlog4j&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=rTfnRNZDffnibANIzme82pujkc-7ey2b8CaTn37aujw&e=>
>> > You can find all repro steps there. In case of any questions, feel free
>> > to contact me.
>> >
>> > Kind regards
>> > Juraj Veverka
>> >
>> >
>> >
>> > On Mon, Feb 28, 2022 at 12:14 PM David Milet <da...@gmail.com>
>> > wrote:
>> >
>> >> Where I work we decided to address log4j vulnerabilities only for
>> >> components directly used by the application and actually performing
>> logging.
>> >> We ignored transitive dependencies and maven plug-ins.
>> >> I’m curious about this use case from Venu though, what application
>> would
>> >> rely on the maven dependency plugin at runtime? Does it mean you’re
>> pulling
>> >> maven dependencies after application startup?
>> >>
>> >> > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <
>> s.jaranowski@gmail.com>
>> >> wrote:
>> >> >
>> >> > Hi,
>> >> >
>> >> > Please provide more information, like plugin, mven, os version.
>> >> >
>> >> > We also need an example project which reproduces your issue.
>> >> > When we can't reproduce we can't help.
>> >> >
>> >> > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
>> >> > <ja...@verizon.com.invalid> napisał(a):
>> >> >
>> >> >> Hi team,
>> >> >>
>> >> >> Can I expect any response? Is this the right email address for my
>> >> >> question?
>> >> >>
>> >> >> Thanks,
>> >> >> Venu
>> >> >>
>> >> >>
>> >> >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav <
>> >> >>> jaladi.venumadhav@verizon.com> wrote:
>> >> >>>
>> >> >>> Hi team,
>> >> >>>
>> >> >>> We are using the Maven Dependency Plugin in one of our projects and
>> >> our
>> >> >>> scanning tools are showing multiple vulnerabilities related to
>> Log4j
>> >> >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305,
>> >> >>> CVE-2022-23307 and CVE-2021-4104).
>> >> >>>
>> >> >>> We would like to know if there are any plans to release a newer
>> >> version
>> >> >>> of Maven Dependency Plugin with the fixes of these
>> >> >>> vulnerabilities(referring to the latest version of Log4j
>> libraries).
>> >> If
>> >> >>> so, is there any planned date for this release?
>> >> >>>
>> >> >>> Please let us know any any more information is required.
>> >> >>>
>> >> >>> Thanks,
>> >> >>> Venu
>> >> >>>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Sławomir Jaranowski
>> >>
>> >>
>> >
>> > --
>> >
>> > Best Regards
>> >
>> >
>> > --
>> >
>> > Juraj Veverka <https://github.com/jveverka
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jveverka&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=ZRrHBhQmmuSUF8h55aJ85MwP9GPZEsCOHusLP_XJjdg&e=>>
>> | Solution Design Architect
>> >
>> > M +421 917 521 285
>> >
>> > www.globallogic.sk
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.sk&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=6LU9gC--r76CYIJcTAZTCtE88J5THlySA-S9w9A0iFE&e=>
>> <https://www.globallogic.com/sk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globallogic.com_sk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=7a1FzhFJHgw4CDcjdrE82I_LKIhq0kYmC9msoJA6UKo&e=>
>> >
>> >
>> > <https://www.facebook.com/GlobalLogicSlovakia
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_GlobalLogicSlovakia&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=TwmBkZxjqFpM_t25QeFCHeBz1pbU8gqHU2UxOc4lYXI&e=>>
>> [image: GLTwitter]
>> > <https://twitter.com/GlobalLogic_SR
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_GlobalLogic-5FSR&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XNeGrmfGlxu0JYZvw1Hxg-fJzd_9wA4tGdXnhVT3cME&e=>
>> >
>> > <https://www.linkedin.com/company/9409064/admin/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_9409064_admin_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=1nhdfr2Ae7zrJ_oSDvHWcYTkCFcRi8rWaQqNLAi18wM&e=>
>> >
>> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_channel_UClazQeLF6Oas1ZVs-2DIaq2Bg&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=Vjoj2mqljRueXWQ7S0flsxio-9SB9OgaNot_yOmyluY&e=>
>> >
>> > <https://www.instagram.com/globallogic_slovakia/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_globallogic-5Fslovakia_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=cqgNfyH0-Ll7XwCT1O2Hdoq4uxml7zPxOFsaeSyd8S4&e=>
>> >
>> >
>> > http://www.globallogic.com/Disclaimer.htm
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.com_Disclaimer.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XArpLzD3vWtbwWpveX5Jt6mpfNJF5ysF7Qf3ZuUGIOk&e=>
>> >
>> >
>> >
>>
>> --
>>
>> Best Regards
>>
>>
>> --
>>
>> Juraj Veverka <https://github.com/jveverka
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jveverka&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=ZRrHBhQmmuSUF8h55aJ85MwP9GPZEsCOHusLP_XJjdg&e=>>
>> | Solution Design Architect
>>
>> M +421 917 521 285
>>
>> www.globallogic.sk
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.sk&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=6LU9gC--r76CYIJcTAZTCtE88J5THlySA-S9w9A0iFE&e=>
>> <https://www.globallogic.com/sk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globallogic.com_sk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=7a1FzhFJHgw4CDcjdrE82I_LKIhq0kYmC9msoJA6UKo&e=>
>> >
>>
>> <https://www.facebook.com/GlobalLogicSlovakia
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_GlobalLogicSlovakia&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=TwmBkZxjqFpM_t25QeFCHeBz1pbU8gqHU2UxOc4lYXI&e=>>
>> [image: GLTwitter]
>> <https://twitter.com/GlobalLogic_SR
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_GlobalLogic-5FSR&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XNeGrmfGlxu0JYZvw1Hxg-fJzd_9wA4tGdXnhVT3cME&e=>
>> >
>> <https://www.linkedin.com/company/9409064/admin/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_9409064_admin_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=1nhdfr2Ae7zrJ_oSDvHWcYTkCFcRi8rWaQqNLAi18wM&e=>
>> >
>> <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_channel_UClazQeLF6Oas1ZVs-2DIaq2Bg&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=Vjoj2mqljRueXWQ7S0flsxio-9SB9OgaNot_yOmyluY&e=>
>> >
>> <https://www.instagram.com/globallogic_slovakia/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_globallogic-5Fslovakia_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=cqgNfyH0-Ll7XwCT1O2Hdoq4uxml7zPxOFsaeSyd8S4&e=>
>> >
>>
>> http://www.globallogic.com/Disclaimer.htm
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.com_Disclaimer.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XArpLzD3vWtbwWpveX5Jt6mpfNJF5ysF7Qf3ZuUGIOk&e=>
>>
>
Re: Maven Dependency Plugin - Log4j vulnerabilities
Posted by "Jaladi, Venumadhav" <ja...@verizon.com.INVALID>.
Hi,
Below I am pasting some of the information on the 3 vulnerabilities from
our report. FYI, I removed the information about the server details and
also trimmed the file path. This report is generated by the Tenable agent.
Severity scandate Vuln Name Description Summary Fix CVE ID CVS Base
Score Plugin
Output
Critical 3/02/2022 Apache Log4j Unsupported Version Detection According to
its self-reported version number, the installation of Apache Log4j on the
remote host is no longer supported. Log4j reached its end of life prior to
2016.
Lack of support implies that no new security patches for the product will
be released by the vendor. As a result, it is likely to contain security
vulnerabilities. A logging library running on the remote host is no longer
supported. Upgrade to a version of Apache Log4j that is currently supported.
Upgrading to the latest versions for Apache Log4j is highly recommended as
intermediate versions / patches have known high severity vulnerabilities
and the vendor is updating their advisories often as new research and
knowledge about the impact of Log4j is discovered. Refer to
https://logging.apache.org/log4j/2.x/security.html for the latest versions.
10 Path :
.../.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Installed version : 1.2.12
Critical 3/02/2022 Apache Log4j 1.x Multiple Vulnerabilities According to
its self-reported version number, the installation of Apache Log4j on the
remote host is 1.x and is no longer supported. Log4j reached its end of
life prior to 2016. Additionally, Log4j 1.x is affected by multiple
vulnerabilities, including :
- Log4j includes a SocketServer that accepts serialized log events and
deserializes them without verifying whether the objects are allowed or
not. This can provide an attack vector that can be exploited.
(CVE-2019-17571)
- Improper validation of certificate with host mismatch in Apache Log4j
SMTP appender. This could allow an SMTPS connection to be intercepted
by a man-in-the-middle attack which could leak any log messages sent
through that appender. (CVE-2020-9488)
- JMSSink uses JNDI in an unprotected manner allowing any application
using the JMSSink to be vulnerable if it is configured to reference an
untrusted site or if the site referenced can be accesseed by the attacker.
(CVE-2022-23302)
Lack of support implies that no new security patches for the product will
be released by the vendor. As a result, it is likely to contain security
vulnerabilities. A logging library running on the remote host has multiple
vulnerabilities. Upgrade to a version of Apache Log4j that is currently
supported.
Upgrading to the latest versions for Apache Log4j is highly recommended as
intermediate versions / patches have known high severity vulnerabilities
and the vendor is updating their advisories often as new research and
knowledge about the impact of Log4j is discovered. Refer to
https://logging.apache.org/log4j/2.x/security.html for the latest
versions. CVE-2019-17571,
CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 10 Path
: .../.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Installed version : 1.2.12
High 3/02/2022 Apache Log4j 1.2 JMSAppender Remote Code Execution
(CVE-2021-4104) The version of Apache Log4j on the remote host is 1.2. It
is, therefore, affected by a remote code execution vulnerability when
specifically configured to use JMSAppender.
Note that Nessus has not tested for these issues but has instead relied
only on the application's self-reported version number. A package installed
on the remote host is affected by a remote code execution
vulnerability. Upgrade
to Apache Log4j version 2.16.0 or later since 1.x is end of life.
Upgrading to the latest versions for Apache Log4j is highly recommended as
intermediate versions / patches have known high severity vulnerabilities
and the vendor is updating their advisories often as new research and
knowledge about the impact of Log4j is discovered. Refer to
https://logging.apache.org/log4j/2.x/security.html for the latest versions.
CVE-2021-4104 6 Path :
.../.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Installed version : 1.2.12
Fixed version : 2.16.0
Thanks,
Venu
On Tue, Mar 1, 2022 at 3:09 PM John Patrick <nh...@gmail.com> wrote:
> You might need to raise a bug with your security scanner regarding false
> positives.
>
> So your dependency tree I only see log4j 2.17.1; i.e.
>
> Your Pom
> - org.springframework.boot:spring-boot-starter-web:2.6.4
> -- org.springframework.boot:spring-boot-starter-web:2.6.4
> --- org.springframework.boot:spring-boot-starter:2.6.4
> ---- org.springframework.boot:spring-boot-starter-logging:2.6.4
> ----- org.apache.logging.log4j:log4j-to-slf4j:2.17.1
> ------ org.apache.logging.log4j:log4j-api:2.17.1
>
> Doing a build "mvn clean install -Dmaven.repo.local=repo"
> Then "find repo -name "*log4j*" -type f", only returns;
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom.sha1
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom
> repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar.sha1
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom.sha1
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar
>
> repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar.sha1
> repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom
> repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom.sha1
> repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom.sha1
> repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom
> repo/log4j/log4j/1.2.12/log4j-1.2.12.pom
> repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
>
> What version does the scanner say its found?
>
> John
>
>
> On Mon, 28 Feb 2022 at 23:15, Juraj Veverka
> <ju...@globallogic.com.invalid> wrote:
>
>> Hi David
>>
>> Just for clarification: we are not relying on the maven dependency plugin
>> at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
>> The problem is that our security scanners are scanning gitlab runner nodes
>> (virtual machines on which we compile and package our application) and
>> log4j vulnerability is found there.
>>
>> Kind regards
>> Juraj Veverka
>>
>> On Mon, Feb 28, 2022 at 1:32 PM Juraj Veverka <
>> juraj.veverka@globallogic.com>
>> wrote:
>>
>> > Hi David
>> >
>> > Many thanks for your email, I really appreciate your reply. This is an
>> > isolated example of the problem.
>> > https://github.com/jveverka/mvn-dependency-log4j
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jveverka_mvn-2Ddependency-2Dlog4j&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=rTfnRNZDffnibANIzme82pujkc-7ey2b8CaTn37aujw&e=>
>> > You can find all repro steps there. In case of any questions, feel free
>> > to contact me.
>> >
>> > Kind regards
>> > Juraj Veverka
>> >
>> >
>> >
>> > On Mon, Feb 28, 2022 at 12:14 PM David Milet <da...@gmail.com>
>> > wrote:
>> >
>> >> Where I work we decided to address log4j vulnerabilities only for
>> >> components directly used by the application and actually performing
>> logging.
>> >> We ignored transitive dependencies and maven plug-ins.
>> >> I’m curious about this use case from Venu though, what application
>> would
>> >> rely on the maven dependency plugin at runtime? Does it mean you’re
>> pulling
>> >> maven dependencies after application startup?
>> >>
>> >> > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <
>> s.jaranowski@gmail.com>
>> >> wrote:
>> >> >
>> >> > Hi,
>> >> >
>> >> > Please provide more information, like plugin, mven, os version.
>> >> >
>> >> > We also need an example project which reproduces your issue.
>> >> > When we can't reproduce we can't help.
>> >> >
>> >> > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
>> >> > <ja...@verizon.com.invalid> napisał(a):
>> >> >
>> >> >> Hi team,
>> >> >>
>> >> >> Can I expect any response? Is this the right email address for my
>> >> >> question?
>> >> >>
>> >> >> Thanks,
>> >> >> Venu
>> >> >>
>> >> >>
>> >> >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav <
>> >> >>> jaladi.venumadhav@verizon.com> wrote:
>> >> >>>
>> >> >>> Hi team,
>> >> >>>
>> >> >>> We are using the Maven Dependency Plugin in one of our projects and
>> >> our
>> >> >>> scanning tools are showing multiple vulnerabilities related to
>> Log4j
>> >> >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305,
>> >> >>> CVE-2022-23307 and CVE-2021-4104).
>> >> >>>
>> >> >>> We would like to know if there are any plans to release a newer
>> >> version
>> >> >>> of Maven Dependency Plugin with the fixes of these
>> >> >>> vulnerabilities(referring to the latest version of Log4j
>> libraries).
>> >> If
>> >> >>> so, is there any planned date for this release?
>> >> >>>
>> >> >>> Please let us know any any more information is required.
>> >> >>>
>> >> >>> Thanks,
>> >> >>> Venu
>> >> >>>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Sławomir Jaranowski
>> >>
>> >>
>> >
>> > --
>> >
>> > Best Regards
>> >
>> >
>> > --
>> >
>> > Juraj Veverka <https://github.com/jveverka
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jveverka&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=ZRrHBhQmmuSUF8h55aJ85MwP9GPZEsCOHusLP_XJjdg&e=>>
>> | Solution Design Architect
>> >
>> > M +421 917 521 285
>> >
>> > www.globallogic.sk
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.sk&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=6LU9gC--r76CYIJcTAZTCtE88J5THlySA-S9w9A0iFE&e=>
>> <https://www.globallogic.com/sk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globallogic.com_sk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=7a1FzhFJHgw4CDcjdrE82I_LKIhq0kYmC9msoJA6UKo&e=>
>> >
>> >
>> > <https://www.facebook.com/GlobalLogicSlovakia
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_GlobalLogicSlovakia&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=TwmBkZxjqFpM_t25QeFCHeBz1pbU8gqHU2UxOc4lYXI&e=>>
>> [image: GLTwitter]
>> > <https://twitter.com/GlobalLogic_SR
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_GlobalLogic-5FSR&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XNeGrmfGlxu0JYZvw1Hxg-fJzd_9wA4tGdXnhVT3cME&e=>
>> >
>> > <https://www.linkedin.com/company/9409064/admin/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_9409064_admin_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=1nhdfr2Ae7zrJ_oSDvHWcYTkCFcRi8rWaQqNLAi18wM&e=>
>> >
>> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_channel_UClazQeLF6Oas1ZVs-2DIaq2Bg&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=Vjoj2mqljRueXWQ7S0flsxio-9SB9OgaNot_yOmyluY&e=>
>> >
>> > <https://www.instagram.com/globallogic_slovakia/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_globallogic-5Fslovakia_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=cqgNfyH0-Ll7XwCT1O2Hdoq4uxml7zPxOFsaeSyd8S4&e=>
>> >
>> >
>> > http://www.globallogic.com/Disclaimer.htm
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.com_Disclaimer.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XArpLzD3vWtbwWpveX5Jt6mpfNJF5ysF7Qf3ZuUGIOk&e=>
>> >
>> >
>> >
>>
>> --
>>
>> Best Regards
>>
>>
>> --
>>
>> Juraj Veverka <https://github.com/jveverka
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jveverka&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=ZRrHBhQmmuSUF8h55aJ85MwP9GPZEsCOHusLP_XJjdg&e=>>
>> | Solution Design Architect
>>
>> M +421 917 521 285
>>
>> www.globallogic.sk
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.sk&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=6LU9gC--r76CYIJcTAZTCtE88J5THlySA-S9w9A0iFE&e=>
>> <https://www.globallogic.com/sk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globallogic.com_sk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=7a1FzhFJHgw4CDcjdrE82I_LKIhq0kYmC9msoJA6UKo&e=>
>> >
>>
>> <https://www.facebook.com/GlobalLogicSlovakia
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_GlobalLogicSlovakia&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=TwmBkZxjqFpM_t25QeFCHeBz1pbU8gqHU2UxOc4lYXI&e=>>
>> [image: GLTwitter]
>> <https://twitter.com/GlobalLogic_SR
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_GlobalLogic-5FSR&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XNeGrmfGlxu0JYZvw1Hxg-fJzd_9wA4tGdXnhVT3cME&e=>
>> >
>> <https://www.linkedin.com/company/9409064/admin/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_9409064_admin_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=1nhdfr2Ae7zrJ_oSDvHWcYTkCFcRi8rWaQqNLAi18wM&e=>
>> >
>> <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_channel_UClazQeLF6Oas1ZVs-2DIaq2Bg&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=Vjoj2mqljRueXWQ7S0flsxio-9SB9OgaNot_yOmyluY&e=>
>> >
>> <https://www.instagram.com/globallogic_slovakia/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_globallogic-5Fslovakia_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=cqgNfyH0-Ll7XwCT1O2Hdoq4uxml7zPxOFsaeSyd8S4&e=>
>> >
>>
>> http://www.globallogic.com/Disclaimer.htm
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.globallogic.com_Disclaimer.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=AC0t0NoA5845dPyKpR8lsYNM7WTCJwwyPgEofV4Ol_Y&m=YnwZ9qtf2ssy2X7BtFEdb6sc51tnRW348Lgq19Z_Bc-SimfW-lLCXefxcZo7sSd-&s=XArpLzD3vWtbwWpveX5Jt6mpfNJF5ysF7Qf3ZuUGIOk&e=>
>>
>