Protecting from vulnerabilities in Java: How we managed the log4j crisis

  • Analysing dependencies with Maven and Gradle
  • Using dedicated tools

Finding where we use log4j

Duke looking for vulnerabilities in a pom.xml

Analysing dependencies

[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.14.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.14.1:compile
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
[INFO] +- software.amazon.lambda:powertools-logging:jar:1.5.0:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.14.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.14.1:compile
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile

Using OWASP Dependency-check

$ mvn org.owasp:dependency-check-maven:6.5.3:checkOne or more dependencies were identified with known vulnerabilities in Todo:log4j-core-2.14.1.jar (pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1, cpe:2.3:a:apache:log4j:2.14.1:::::::) : CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CWE-502: Deserialization of Untrusted Data
log4j-slf4j-impl-2.14.1.jar (pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.14.1, cpe:2.3:a:apache:log4j:2.14.1:::::::) : CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105
See the dependency-check report for more details.
OWASP Dependency Check HTML report

Using snyk

snyk dahsboard containing discovered vulnerabilities

Fixing the vulnerability

Patching our applications

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.1</version>
</dependency>
implementation 'org.apache.logging.log4j:log4j-core:2.17.1'
implementation 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1'
  • With Maven, simply declare an explicit dependency to log4j 2.17.1 (or newer) as it will override transitive ones. From the documentation:
  • With Gradle, you can add a constraint that will enforce the use of a specific version (see this blog post from Gradle for more details) :
dependencies {
constraints {
implementation("org.apache.logging.log4j:log4j-core") {
version {
strictly("[2.17.1, 3[")
prefer("2.17.1")
}
because("CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities")
}
}
}
snyk proposing some fixes to our vulnerabilities
Pull request automatically created by snyk

What else can we do?

Log4j JNDI Attack and how to prevent it — from GovCERT.ch

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jérôme Van Der Linden

Jérôme Van Der Linden

103 Followers

Senior Solution Architect @AWS - software craftsman, agile and devops enthusiastic, cloud advocate. Opinions are my own.