Comments (18)
Updated Logback to 1.1.11, which is the lowest version that does not have this vulnerability. Used lowest Logback version to avoid backwards compatibility issues for users of this lib.
I'm releasing this to Maven Central but it will be a little while before it propagates...
from owasp-security-logging.
Actually you are correct! I just checked and the fix was to convert to variables from int to long.
That fix is not present in the 1.1.11 branch.
I'll reopen this and update to 1.2.0.
from owasp-security-logging.
from owasp-security-logging.
I know the bug is in Logback, therefore if you don't update its dependencies in this project it's marked vulnerable too.
from owasp-security-logging.
from owasp-security-logging.
I've just noticed you've fixed this issue. Yesterday night I've updated and cleaned all I could on my fork. If you like it, I could create a pull request (all or nothing, too many changes).
I've tested it and it works. Feel free to close the ticket.
from owasp-security-logging.
@giacgbj Thanks for the pull request. I've reviewed it and it looks mostly like formatting changes and notations. I am however interested in the changes you made to the POMs and JUnit tests.
Could you perhaps do a fresh pull from master submit separate pull requests with just those changes?
from owasp-security-logging.
Version 1.1.4 now propagated to Maven Central.
from owasp-security-logging.
According to https://nvd.nist.gov/vuln/detail/CVE-2017-5929 "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components." so either you update to a version greater than or equal to 1.2.0 or find a way to persuade them to change the issue, considering that from https://logback.qos.ch/news.html "Release 1.2.0 fixes a rather severe serialization vulnerability in SocketServer and ServerSocketReceiver." and the ticket they refer to (https://jira.qos.ch/browse/LOGBACK-1231) affects version 1.1.8.
from owasp-security-logging.
Odd, the CPE configuration on https://nvd.nist.gov/vuln/detail/CVE-2017-5929#vulnConfigurationsArea says
versions up to (including) 1.1.10
Changing to Logback 1.1.11 should satisfy that requirement.
from owasp-security-logging.
versioneye and coverity are both unreachable today; if those turn up green, we can close this item.
from owasp-security-logging.
coverity is green ,versioneye still giving http 508 errors
from owasp-security-logging.
I already released v1.1.5 5 days ago. I think we should close this.
from owasp-security-logging.
i am waiting for versioneye website to confirm the fix for the cve ,thats why this was still open.
from owasp-security-logging.
It's at least 8 days that VersionEye website is unreachable: versioneye/versioneye#730 :/
from owasp-security-logging.
maybe we shoud change to another dep analyzing service then
from owasp-security-logging.
versioneye is shut down : https://blog.versioneye.com/2017/10/19/versioneye-sunset-process/
from owasp-security-logging.
I have added skyp.io deps analysis service; skyps rerport shows logback vuln is fixed, but log4j isnt; Introduced through: javabeanz/owasp-security-logging@javabeanz/owasp-security-logging#38dce79070bb868a9c734cb24cbfb6fece629c05 › org.apache.logging.log4j:[email protected]
Remediation: Upgrade to org.apache.logging.log4j:[email protected]. with CVE-502 https://cwe.mitre.org/data/definitions/502.html
from owasp-security-logging.
Related Issues (20)
- CVE-502 vuln for log4j2 version HOT 2
- poms still on old version 1.1.4 HOT 1
- Replacement for VersionEye HOT 1
- Feature : covert logging HOT 1
- Exclude tests from code quality report HOT 5
- Boost Codacy score
- investigate alternative quality platforms
- Masking not working with logback in spring boot HOT 4
- Log injection is possible in exception messages with CRLFConverter HOT 1
- Travis not running HOT 2
- Logback log injection HOT 6
- Doesn't work with Spring Boot HOT 3
- is the new trojan source hack relevant for security logging ?
- Add documentation about a good way to disable masking during debugging
- investigate RCE impact zero day Log4j HOT 5
- CVE-2021-45046
- Update to logback 1.28 HOT 2
- Logback converter for Backspace character HOT 3
- security-logging-logback is not compatible with logback-classic version 1.3.x (partially) HOT 3
- Release Latest Version of owasp-security-logging with Recent Updates
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-security-logging.