Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

[Gintautas Grigelionis <g....@gmail.com>]

The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
Log4j 1.x issue. Did I miss something?

Gintas

2018-02-07 8:11 GMT+01:00 Jan Matèrne (jhm) <ap...@materne.de>:

> CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
> vulnerability
>
>
>
> Severity: low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
>   Apache Ant 1.9.0 - 1.9.9
>
>   Apache Ant 1.10.0 - 1.10.1
>
>   The unsupported Apache Ant 1.8 and lower versions are also affected.
>
> Description:
>
>   When using Apache Ants Log4jListener there could be a security issue with
> the
>
>   underlying Apache Log4j library in version 1.x.
>
>   Please note that Log4j 1.x has reached its end of life and is no longer
> maintained.
>
>   For details about migrating away from Log4j 1.x please consult with the
> Apache Log4j team.
>
> Mitigation:
>
>   Users should not use the Log4JListener or use the log4j2-bridge.
>
>   (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
>
> Credit:
>
>   This issue was discovered by Wade Schwarz of Oracle.
>
>
>
>
>
> -Jan Matèrne
>
> on behalf of the Apache Ant PMC
>
>

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

[Matt Sicker <bo...@gmail.com>]

After 2.8.2, there's a class whitelist used for deserializing data in the
receiver.

On 7 February 2018 at 12:19, Gintautas Grigelionis <g....@gmail.com>
wrote:

> Sorry, could you please clarify whether there different aspects pertaining
> to 1.x and 2.x up to and after 2.8.2?
>
> Thanks, Gintas
>
> 2018-02-07 19:10 GMT+01:00 Matt Sicker <bo...@gmail.com>:
>
> > Based on that version, this is related to using Java serialization for
> > logs. The general workaround here is to use a different format like JSON
> > instead to avoid the vulnerability entirely.
> >
> > On 7 February 2018 at 12:03, Gintautas Grigelionis <
> > g.grigelionis@gmail.com>
> > wrote:
> >
> > > Exactly, what I meant is that it's worth pointing out that not even all
> > > versions of log4j 2.x are safe.
> > >
> > > Gintas
> > >
> > > 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bo...@apache.org>:
> > >
> > > > On 2018-02-07, Gintautas Grigelionis wrote:
> > > >
> > > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> > > only
> > > > > Log4j 1.x issue. Did I miss something?
> > > >
> > > > The subject is how it has been reported to us.
> > > >
> > > > Prior to the latest releases you have not been able to use log4j2 so
> > > > there is no reason to talk about those versions. The recommended
> > > > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > > > correct, one might add "of a log4j 2.x version that is not vulnerable
> > to
> > > > the attack".
> > > >
> > > > Stefan
> > > >
> > > > ------------------------------------------------------------
> ---------
> > > > To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> > > > For additional commands, e-mail: dev-help@ant.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > Matt Sicker <bo...@gmail.com>
> >
>



-- 
Matt Sicker <bo...@gmail.com>

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

[Gintautas Grigelionis <g....@gmail.com>]

Sorry, could you please clarify whether there different aspects pertaining
to 1.x and 2.x up to and after 2.8.2?

Thanks, Gintas

2018-02-07 19:10 GMT+01:00 Matt Sicker <bo...@gmail.com>:

> Based on that version, this is related to using Java serialization for
> logs. The general workaround here is to use a different format like JSON
> instead to avoid the vulnerability entirely.
>
> On 7 February 2018 at 12:03, Gintautas Grigelionis <
> g.grigelionis@gmail.com>
> wrote:
>
> > Exactly, what I meant is that it's worth pointing out that not even all
> > versions of log4j 2.x are safe.
> >
> > Gintas
> >
> > 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bo...@apache.org>:
> >
> > > On 2018-02-07, Gintautas Grigelionis wrote:
> > >
> > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> > only
> > > > Log4j 1.x issue. Did I miss something?
> > >
> > > The subject is how it has been reported to us.
> > >
> > > Prior to the latest releases you have not been able to use log4j2 so
> > > there is no reason to talk about those versions. The recommended
> > > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > > correct, one might add "of a log4j 2.x version that is not vulnerable
> to
> > > the attack".
> > >
> > > Stefan
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> > > For additional commands, e-mail: dev-help@ant.apache.org
> > >
> > >
> >
>
>
>
> --
> Matt Sicker <bo...@gmail.com>
>

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

[Matt Sicker <bo...@gmail.com>]

Based on that version, this is related to using Java serialization for
logs. The general workaround here is to use a different format like JSON
instead to avoid the vulnerability entirely.

On 7 February 2018 at 12:03, Gintautas Grigelionis <g....@gmail.com>
wrote:

> Exactly, what I meant is that it's worth pointing out that not even all
> versions of log4j 2.x are safe.
>
> Gintas
>
> 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bo...@apache.org>:
>
> > On 2018-02-07, Gintautas Grigelionis wrote:
> >
> > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> only
> > > Log4j 1.x issue. Did I miss something?
> >
> > The subject is how it has been reported to us.
> >
> > Prior to the latest releases you have not been able to use log4j2 so
> > there is no reason to talk about those versions. The recommended
> > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > correct, one might add "of a log4j 2.x version that is not vulnerable to
> > the attack".
> >
> > Stefan
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> > For additional commands, e-mail: dev-help@ant.apache.org
> >
> >
>



-- 
Matt Sicker <bo...@gmail.com>

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

[Gintautas Grigelionis <g....@gmail.com>]

Exactly, what I meant is that it's worth pointing out that not even all
versions of log4j 2.x are safe.

Gintas

2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bo...@apache.org>:

> On 2018-02-07, Gintautas Grigelionis wrote:
>
> > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> > Log4j 1.x issue. Did I miss something?
>
> The subject is how it has been reported to us.
>
> Prior to the latest releases you have not been able to use log4j2 so
> there is no reason to talk about those versions. The recommended
> mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> correct, one might add "of a log4j 2.x version that is not vulnerable to
> the attack".
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> For additional commands, e-mail: dev-help@ant.apache.org
>
>

Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

[Stefan Bodewig <bo...@apache.org>]

On 2018-02-07, Gintautas Grigelionis wrote:

> The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> Log4j 1.x issue. Did I miss something?

The subject is how it has been reported to us.

Prior to the latest releases you have not been able to use log4j2 so
there is no reason to talk about those versions. The recommended
mitigation of "don't use Log4JListener or use the log4j2-bridge" is
correct, one might add "of a log4j 2.x version that is not vulnerable to
the attack".

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org