CVE-2021-44228: Request to Upgrade Log4j #429
Comments
|
@konkodi210 The latest version of log4j (2.15.0) have been incorporated into main. See my note that all the testware matches before and after. |
|
Are any of the SAS dependencies using Log4J? Will this force them to use 2.15 as well? |
|
Does 2.15 continue to have vulnerabilities?: https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/ |
|
@binnisb, I can't speak for certain but I don't think it will force other components to use 2.15. The jars are shipped for ease of use in establishing an IOM connection to SAS. In the earliest versions of SASPy users had to specify their own classpath now that is done on behalf of the user here. @tomweber-sas do you have anything to add? |
|
@brentgunderson, Just completed the PR with log4j 2.16. This is at main but not yet pushed to pypi or conda. Any feedback is welcome. |
|
log4j 2.15 still present in 'iomclient' folder -- likely needs to be removed |
|
@pcompieta Thank you! I had them deleted in my fork but somehow in the merge of the PR they didn't get cleaned up. |
|
New release of SASPy has been created (v3.7.7) and it has been pushed to pypi I'm closing this issue. Please report any problems. |
|
Hey, I'm sorry I was on vacation when this came in (at sea for 8 days in the pacific scuba diving w/ no form of communication of any kind; was wonderful :) but back to business). I want to address the various things in this from the different vulnerabilities in log4j and classpath questions. As for the classpath, you can still code the classpath yourself, overriding what saspy generates on it's own, so you can easily provide or specify whatever log4j jars you feel are vulnerability free (if there are any). But again, it's moot as saspy doesn't initialize or use the log4j subsystem. I recently upgraded the log4j provided by saspy to the 2.12.1 version, since previously it had the 1.2 which was past EOL. That version (2.12.7) was the highest version still supporting java 7, which is the documented lowest version of Java supported by SASPy. This new version of log4j that has been promoted, now requires Java V8 or higher, so that backward compatibility is now gone. We will have to document that V8 of java is now the minimum supported. Luckily, Java 7 EOL is fast approaching, but I don't like to just push breaking changes without warning or documenting them. So, I'll have to address that next. No doubt they will continue to find arbitrary vulnerabilities in whatever version there is, but whatever the case, SASPy won't expose them as it isn't using, or even initializing, the log4j subsystem. Also, you can override whatever version you want by providing it on the classpath you provide if you want. Please let me know if you have any questions or follow up concerns about any of this! Happy to further the conversation. Thanks, |
|
@tomweber-sas what if malicious username or host have been passed to saspy? Does saspy ever print user provided details for method's or functions of saspy? |
|
Thanks @dimon222, in that case, the connection will fail due to invalid credentials. Neither the id nor pw will be logged via log4j since log4j is not used in the saspy client. So there is no exposure. It will simply fail to establish a connection. |
|
Oh, sorry I'm on my phone at lunch and missed the rest of your question. I don't print out anything about credentials. And I can't think of any user input that would be printed otherwise. Anything saspy prints would be with pythons print() which goes to pythons stout and had nothing to do with log4j, as that's a Java thing. So again, there's no exposure possible with the log4j jars included in saspy. |
|
Our company uses Qualys tool to massively scan file system of tens of
thousands VMs and there's not enough analysts to assess "actual exposure" -
we were forced to immediately move to 3.7.7 to avoid being flagged and
shutdown.
Btw, I heard a new version of log4j 2.12 has been pushed out for Java7
people, so that may have everyone happy. In case you want to go back to
such in the 3.7 line, we would really need having a Saspy version:
- shipping with log4j 2.16
- 100% backwards compatible to 3.7.6
- automatic installed when "pip install saspy"
Hope this helps
Thanks!
Paolo
Il Ven 17 Dic 2021, 19:10 Tom Weber ***@***.***> ha scritto:
… Oh, sorry I'm on my phone at lunch and missed the rest of your question. I
don't print out anything about credentials. And I can't think of any user
input that would be printed otherwise. Anything saspy prints would be with
pythons print() which goes to pythons stout and had nothing to do with
log4j, as that's a Java thing. So again, there's no exposure possible with
the log4j jars included in saspy.
—
Reply to this email directly, view it on GitHub
<#429 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3X4GYKYRNCI3OWXO32YELURN4KPANCNFSM5J2N37VA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Yes @pcompieta, I looked at the Apache statement on this (https://logging.apache.org/log4j/2.x/index.html) and saw 2.12.2 was available and would be compatible w/ saspy as it is and address this security problem. Thanks for pointing that out too! You are right in that just stating saspy doesn't expose any log4j vulnerabilities won't necessarily satisfy all IT requirements for all companies, so just upgrading to the version that passes the scans is necessary. I'm working on providing both 2.12.2 and 2.16.0 (which is there now) and defaulting to use 2.12.2 in the classpath I build. I am adding a new configuration definition key 'log4j' which will allow you to override (I still build the class path for you) and use the 2,16.0 versions. You can also provide 'classpath' which will be used instead of me building out the claspath (I would see the path I build and use it, only replacing the log4j jars with what you want), so you can always use any version you want. to your config definition, or adding it on the sas = saspy.SASsession(..., log4j='2.16.0') method. What do you think about this? Solve all the case, like you're thinking? Am I missing anything? |
|
FYI, I just pushed this and built v3.7.8. This uses 2.12.2 but you can tell it to use 2.16.0 if you want, and have Java 8 or higher. Thanks, |
|
Hi Tom,
I think using 2.12.2+ would fix things for both Java 7 and Java 8 users
given it's compatible with both.
The push for releasing a version using 2.16 was only due to no one
announcing a 2.12.2. Now that both are available, your default makes more
sense. Moreover, if there's a version which is secure, scan tools will
surely reflect that after a while. Having the configurability you
introduced may help the transition or complex cases.
This said, the last vulnerability
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 has been out
for days already and no other has emerged. In this very same link you can
find 2.12.3 already mentioned but no trace of this new one on log4j
official site or maven central. It's likely on its way.
Thanks
Paolo
…On Mon, Dec 20, 2021 at 3:56 PM Tom Weber ***@***.***> wrote:
Yes @pcompieta <https://github.com/pcompieta>, I looked at the Apache
statement on this (https://logging.apache.org/log4j/2.x/index.html) and
saw 2.12.2 was available and would be compatible w/ saspy as it is and
address this security problem. Thanks for pointing that out too!
You are right in that just stating saspy doesn't expose any log4j
vulnerabilities won't necessarily satisfy all IT requirements for all
companies, so just upgrading to the version that passes the scans is
necessary. I'm working on providing both 2.12.2 and 2.16.0 (which is there
now) and defaulting to use 2.12.2 in the classpath I build. I am adding a
new configuration definition key 'log4j' which will allow you to override
(I still build the class path for you) and use the 2,16.0 versions. You can
also provide 'classpath' which will be used instead of me building out the
claspath (I would see the path I build and use it, only replacing the log4j
jars with what you want), so you can always use any version you want.
I'm working on this today and will hopefully get this out and built into a
new release so that Java 7 support will be back by default, along with the
ability to use the 2.16.0 jars, if that's what is needed with only adding
'log4j' : '2.16.0',
to your config definition, or adding it on the sas = saspy.SASsession(...,
log4j='2.16.0') method.
What do you think about this? Solve all the case, like you're thinking? Am
I missing anything?
Thanks!
Tom
—
Reply to this email directly, view it on GitHub
<#429 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3X4G4XSRSJJU3L42NYSVTUR47ZNANCNFSM5J2N37VA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thanks Paolo, yep that's the next one I mentioned they found to then make 2.17.0, which I guess 2.12.3 has that change in it too. But, I'm not planning on making daily new versions of saspy w/ every new jar they come up with when this is all impossible to be a real problem in the first place; at least for saspy, and probably 90% of all java programs that exist. Even if I used log4j, it would be to write diagnostic records to a log file to help with debugging. That use case can't expose any of these obtuse code paths they are finding where these problems can occur, anyway. None of these issues are about if you write a record to a file that has user provided 'bad stuff' in it, then that somehow causes a problem, because it doesn't. I can write 'sudo rm -rf /*' to a file and guess what terrible things happen to my system? Nothing. Writing log record to a file w/ log4j is probably the most commonly used case, but isn't the code path that can expose these vulnerabilities. So, until this settles down, I'm going to leave saspy as is with these, current as of yesterday (pass blind scans w/ no context as to if there even a problem or not), jars in place. Once there's a 'final' good set of jars, I'll update to those, if that happens. For a site that just has to have all log4j files wiped from their system, and only use some version that seems to pass a scan some particular day, that is easily addressed by just deleting the log4j jars from saspy/java/iomclient and providing the classpath to saspy which has the paths to the blessed log4j jar files in place of what saspy would have had in the classpath it generated (along w/ the rest of the classpath saspy normally generates, of course; just change the log4j part of the path). That can be done w/ any version of saspy, in fact. Again, thanks for your input and help on this! Very much appreciated. |
|
Just an FYI. SASPy V4.0.0 is now production and has 2,12,4 and 2,17,1, as they are the latest versions for all these log4j problems. |
|
With the latest log4j jars pushed into the current release, and it looking like those may be the last ones now, for some time. I'll go ahead and close out this issue. If more problems are found, and more releases created to get around them, I'll update again. But for now it looks like the dust has settled. |
Describe the bug
Currently SASPY uses log4j 2.12 version has major vulnerabilities. Please refer below link for more details. I request you please help us with updated release which uses latest version of log4j where issue is addressed
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
Version: 3.7.6
The text was updated successfully, but these errors were encountered: