Comments (6)
kwwall
commented on August 29, 2024
Yes, there's a transitive dependency on log4j 1.2.17 via ESAPI, but the ESAPI team has done a thorough analysis of all the Log4J 1 related vulnerabilities and ESAPI does not expose users to any them with its standard configuration (which is to use ConsoleAppender, although any of the FileAppenders should be fine as well). The ESAPI team has written up specific Security Bulletins discussing these. As long as you are not using something like JMSAppender or SMTPAppender or another of the vulnerable classes in your log4j.xml file, you should be fine.
I can point out the specific links to the Security Bulletins latter if you would like me to, but don't have time at the moment. There are about 6 of them.
-kevin wall, ESAPI project co-lead
from owasp-java-encoder.
l00zak
commented on August 29, 2024
Thanks for quick answer Kevin!
Found your statement about patching in ESAPI
https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1
As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.
from owasp-java-encoder.
kwwall
commented on August 29, 2024
Our deprecation policy is next major release (which would be 3.x) OR at
least 2 years until after the first deprecation announcement. That 2 years
will be up on 7/13/2022 so we plan to do a release without Log4J 1
dependency shortly thereafter.
On Tue, May 3, 2022, 1:00 PM l00zak ***@***.***> wrote:
Thanks for quick answer Kevin!
Found your statement about patching in ESAPI
https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1
As I understand log4j 1.2.17 will stay here until at least release of
ESAPI 3.x because of backward compatibility, and there is no simple way to
get rid of this dependency.
—
Reply to this email directly, view it on GitHub
<#60 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PGYXAJP4FVVTW7V5HB3VIFLTZANCNFSM5U6MHKOA>
.
You are receiving this because you commented.Message ID:
***@***.***>
-kevin
from owasp-java-encoder.
kwwall
commented on August 29, 2024
Apologies if this is hard to read. I copied it from an email that I shared
with GitHub Security Lab and I thought @l00zak might find it helpful. I
think the copy/paste stripped out the tabs and changed them to spaces.
Anyway, here's a complete list of the Log4J 1 related vulnerabilities that
are associated with all the ESAPI releases that get flagged because of
ESAPI's direct dependency on log4j-1.2.17.jar. I have written up ESAPI
security bulletins for each of these and provided links for each.
Assigned CVE Vuln Component ESAPI Security Bulletin
===================================================================================================================================
CVE-2019-17571 SocketServer
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf
CVE-2020-9488 SMTPAppender
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin4.pdf
CVE-2021-4104 JMSAppender
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin6.pdf
CVE-2022-23305 JDBCAppender
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin7.pdf
CVE-2022-23302 JMSSink
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin9.pdf
CVE-2022-23307 Chainsaw
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin10.pdf
Note that this last one, Apache Chainsaw, is now a separate library (it's a
standalone GUI program to display log files), but it originally was
included with the Log4J 1 jar and wasn't split out separately until Log4J 2.
…-kevin
from owasp-java-encoder.
l00zak
commented on August 29, 2024
You could not be more clear Kevin!
Thanks for clarification :)
from owasp-java-encoder.
kwwall
commented on August 29, 2024
FYI - Related to this closed issue, the ESAPI team is currently working on releasing 2.5.0.0, which will remove ALL Log4J 1 dependencies. As of 7/13/2022, Log4J 1 will have been officially deprecated for 2 years, which we only kept that long because of our deprecation policy. But once 2.5.0.0 is released (I'm working on release notes now), all known CVEs should be dealt with, but to get the benefit, the Java Encoder project (well, the 'ESAPI Thunk' part that builds the 'encoder-esapi' jar) will have to update to ESAPI 2.5.0.0. I'm hoping to have that out RSN.
from owasp-java-encoder.
Related Issues (20)
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 4
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 5
- Automatic module name not included in manifest HOT 2
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 4
- Combining OWASP Sanitizer and Encoder HOT 5
- Confusing example in Encode.forHtmlAttribute docs HOT 3
- Add an XML 1.1 encoder HOT 1
- Unable to compile v1.2.3 branch with JDK8 HOT 14
- java.lang.NoSuchMethodError when running on Java 8 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.