ESAPI Security Advisory #4 - How Does CVE-2020-9488 Impact ESAPI?

6 views

Skip to first unread message

Kevin W. Wall

unread,

Mar 21, 2021, 1:06:53 PM3/21/21

to esapi-project-users, esapi-project-dev

In about 10-15 minutes after this is email is posted, you will find ESAPI Security Advisory #4 posted at:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin4.pdf

The bottom line is, unless you are still using ESAPI's deprecated Log4j 1's logging and have your log4j.xml configured to use SMTPAppender, you are not vulnerable to this specific CVE. However, unless explicitly suppressed, any Software Composition Analysis tools that you use may continue to point out that you are impacted. (Note: I have added this to ESAPI's 'suppression.xml' file used by OWASP Dependency Check.)

The reason for the 10-15 minute delay is the security advisory will reference this email and I need to post this email first to get a link to it.

Please see the aforementioned security advisory for details.

-kevin

Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

Reply all

Reply to author

Forward

0 new messages