Addressing CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307

[jamesdpatterson]

In terms of log4j version 1.x, there were three new CVEs disclosed last week.

Could we also have the ability to strip JMSSink.class (CVE-2022-23302) and the chainsaw classes (CVE-2022-23307)? The other new issue is CVE-2022-23305, but this is mitigated by removing JMSAppender.class which is already in the code.

Here are the key lines from the RedHat descriptions of the three new CVEs:

https://access.redhat.com/security/cve/cve-2022-23302
Remove the JMSSink class from the server's jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class

https://access.redhat.com/security/cve/CVE-2022-23305
Remove the JDBCAppender class from the server's jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class

https://access.redhat.com/security/cve/CVE-2022-23307
Remove the Chainsaw classes from the log4j jar files. For example:
zip -q -d log4j-.jar org/apache/log4j/chainsaw/

Thanks for all your work,

James.

[xeraph]

@jamesdpatterson Would you test v2.8.0 release?

[bonsei0]

Hi,
I just tested the new version 2.8.1. Removed step by step the classes from a log4j 1 jar file:
$ file=log4j-1.2.17.jar

$ ./log4j2-scan $file --scan-log4j1
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17

$ zip -q -d "$file" org/apache/log4j/net/JMSAppender.class
$ ./log4j2-scan $file --scan-log4j1
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17

$ zip -q -d "$file" org/apache/log4j/net/SocketServer.class
$ ./log4j2-scan $file --scan-log4j1
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17

Output is always CVE-2021-4104 Vulnerable. Dosen't matter if CVE-2021-4104 (JMSAppender) is already mitigated.
I thought output may change to next Vulnerable CVE?

When all classes are removed, I get:
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /home/webadm/dummy_log4j_jar/log4j-1.2.17_miti.jar, log4j 1.2.17 (mitigated)

The final result (vulnerable/mitigated) is ok. But the CVE number dosen't really match.

[xeraph]

@bonsei0 Thank you for detail report. However, scanner present only representative CVE code for simplicity. Since log4j1 has multiple vulnerabilities, it is quite difficult to read scan report if scanner print all CVE codes for single JAR file.

Even if you eliminated some classes from JAR file, scanner detect vulnerability to support vulnerable file identification and patch process. (You should contact vendor and upgrade application)

However many users (#233 , #237) want to see all CVE codes and mitigation history for vulnerable files. We are preparing new web service called Logpresso Watch and scanner release for this.