Rule for multiple line json report
302 views
Skip to first unread message
Wiktor Pieńkowski
Oct 19, 2022, 6:47:52 AM10/19/22
to Wazuh mailing list
Hi, I'm having problem with triggering an alert for my JSON report from OSS Index plugin that i would like to add to wazuh. My rule is based on https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html
My rule:
<group name="oss_index"> Â Â
  <rule id="102000" level="0">
  <decoded_as>json</decoded_as>
  <field name="reports">\.+</field>
  <description>OSS Index reports</description>
</rule>
</group>
  <rule id="102000" level="0">
  <decoded_as>json</decoded_as>
  <field name="reports">\.+</field>
  <description>OSS Index reports</description>
</rule>
</group>
Example report:
{
"reports" : {
"javax.servlet:javax.servlet-api:jar:4.0.1:compile" : {
"coordinates" : "pkg:maven/javax.servlet/javax.se...@4.0.1",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/javax.se...@4.0.1?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"biz.paluch.logging:logstash-gelf:jar:1.15.0:compile" : {
"coordinates" : "pkg:maven/biz.paluch.logging/logsta...@1.15.0",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/biz.paluch.logging/logsta...@1.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"org.apache.logging.log4j:log4j-core:jar:2.19.0:compile" : {
"coordinates" : "pkg:maven/org.apache.logging.log4j/log4j...@2.19.0",
"description" : "Log4 Implementation.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j...@2.19.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"ch.qos.logback:logback-core:jar:1.4.3:compile" : {
"coordinates" : "pkg:maven/ch.qos.logback/logbac...@1.4.3",
"description" : "Logback: the generic, reliable, fast and flexible logging library for Java.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logbac...@1.4.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"org.slf4j:slf4j-api:jar:2.0.1:compile" : {
"coordinates" : "pkg:maven/org.slf4j/slf4...@2.0.1",
"description" : "The slf4j API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4...@2.0.1?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"commons-logging:commons-logging:jar:1.2:compile" : {
"coordinates" : "pkg:maven/commons-logging/commons-logging@1.2",
"description" : "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"net.logstash.logback:logstash-logback-encoder:jar:7.2:compile" : {
"coordinates" : "pkg:maven/net.logstash.logback/logstash-logback-encoder@7.2",
"description" : "Logback encoder which will output events as Logstash-compatible JSON",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/net.logstash.logback/logstash-logback-encoder@7.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3",
"description" : "General data-binding functionality for Jackson: works on core streaming API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2022-42003",
"displayName" : "CVE-2022-42003",
"title" : "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42003",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42003?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42003", "https://github.com/FasterXML/jackson-databind/issues/3590", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" ]
}, {
"id" : "CVE-2022-42004",
"displayName" : "CVE-2022-42004",
"title" : "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42004",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42004?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004", "https://github.com/FasterXML/jackson-databind/issues/3582", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" ]
} ]
},
"ch.qos.logback:logback-classic:jar:1.4.3:compile" : {
"coordinates" : "pkg:maven/ch.qos.logback/logback...@1.4.3",
"description" : "Logback: the generic, reliable, fast and flexible logging library for Java.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logback...@1.4.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackson-a...@2.13.3",
"description" : "Core annotations used for value types, used by Jackson databinding package.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-a...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"org.apache.logging.log4j:log4j-api:jar:2.19.0:compile" : {
"coordinates" : "pkg:maven/org.apache.logging.log4j/log4...@2.19.0",
"description" : "The Log4J API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4...@2.19.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"log4j:log4j:jar:1.2.17:compile" : {
"coordinates" : "pkg:maven/log4j/lo...@1.2.17",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/log4j/lo...@1.2.17?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2019-17571",
"displayName" : "CVE-2019-17571",
"title" : "[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data",
"description" : "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2019-17571",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571", "https://issues.apache.org/jira/browse/LOG4J2-1863", "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" ]
}, {
"id" : "CVE-2022-23305",
"displayName" : "CVE-2022-23305",
"title" : "[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"description" : "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-89",
"cve" : "CVE-2022-23305",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305", "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2022-23302",
"displayName" : "CVE-2022-23302",
"title" : "[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23302",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302", "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", "https://logging.apache.org/log4j/1.2/index.html" ]
}, {
"id" : "CVE-2022-23307",
"displayName" : "CVE-2022-23307",
"title" : "[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data",
"description" : "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23307",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2021-4104",
"displayName" : "CVE-2021-4104",
"title" : "[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2021-4104",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" ]
}, {
"id" : "sonatype-2010-0053",
"displayName" : "sonatype-2010-0053",
"title" : "1 vulnerability found",
"description" : "1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
"cvssScore" : 7.8,
"cvssVector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-699",
"reference" : "https://ossindex.sonatype.org/vulnerability/sonatype-2010-0053"
} ]
},
"com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackso...@2.13.3",
"description" : "Core Jackson abstractions, basic JSON streaming API implementation",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackso...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
}
},
"vulnerable" : {
"log4j:log4j:jar:1.2.17:compile" : {
"coordinates" : "pkg:maven/log4j/lo...@1.2.17",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/log4j/lo...@1.2.17?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2019-17571",
"displayName" : "CVE-2019-17571",
"title" : "[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data",
"description" : "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2019-17571",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571", "https://issues.apache.org/jira/browse/LOG4J2-1863", "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" ]
}, {
"id" : "CVE-2022-23305",
"displayName" : "CVE-2022-23305",
"title" : "[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"description" : "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-89",
"cve" : "CVE-2022-23305",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305", "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2022-23302",
"displayName" : "CVE-2022-23302",
"title" : "[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23302",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302", "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", "https://logging.apache.org/log4j/1.2/index.html" ]
}, {
"id" : "CVE-2022-23307",
"displayName" : "CVE-2022-23307",
"title" : "[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data",
"description" : "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23307",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2021-4104",
"displayName" : "CVE-2021-4104",
"title" : "[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2021-4104",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" ]
}, {
"id" : "sonatype-2010-0053",
"displayName" : "sonatype-2010-0053",
"title" : "1 vulnerability found",
"description" : "1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
"cvssScore" : 7.8,
"cvssVector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-699",
"reference" : "https://ossindex.sonatype.org/vulnerability/sonatype-2010-0053"
} ]
},
"com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3",
"description" : "General data-binding functionality for Jackson: works on core streaming API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2022-42003",
"displayName" : "CVE-2022-42003",
"title" : "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42003",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42003?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42003", "https://github.com/FasterXML/jackson-databind/issues/3590", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" ]
}, {
"id" : "CVE-2022-42004",
"displayName" : "CVE-2022-42004",
"title" : "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42004",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42004?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004", "https://github.com/FasterXML/jackson-databind/issues/3582", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" ]
} ]
}
}
}
"reports" : {
"javax.servlet:javax.servlet-api:jar:4.0.1:compile" : {
"coordinates" : "pkg:maven/javax.servlet/javax.se...@4.0.1",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/javax.se...@4.0.1?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"biz.paluch.logging:logstash-gelf:jar:1.15.0:compile" : {
"coordinates" : "pkg:maven/biz.paluch.logging/logsta...@1.15.0",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/biz.paluch.logging/logsta...@1.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"org.apache.logging.log4j:log4j-core:jar:2.19.0:compile" : {
"coordinates" : "pkg:maven/org.apache.logging.log4j/log4j...@2.19.0",
"description" : "Log4 Implementation.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j...@2.19.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"ch.qos.logback:logback-core:jar:1.4.3:compile" : {
"coordinates" : "pkg:maven/ch.qos.logback/logbac...@1.4.3",
"description" : "Logback: the generic, reliable, fast and flexible logging library for Java.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logbac...@1.4.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"org.slf4j:slf4j-api:jar:2.0.1:compile" : {
"coordinates" : "pkg:maven/org.slf4j/slf4...@2.0.1",
"description" : "The slf4j API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/slf4...@2.0.1?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"commons-logging:commons-logging:jar:1.2:compile" : {
"coordinates" : "pkg:maven/commons-logging/commons-logging@1.2",
"description" : "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"net.logstash.logback:logstash-logback-encoder:jar:7.2:compile" : {
"coordinates" : "pkg:maven/net.logstash.logback/logstash-logback-encoder@7.2",
"description" : "Logback encoder which will output events as Logstash-compatible JSON",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/net.logstash.logback/logstash-logback-encoder@7.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3",
"description" : "General data-binding functionality for Jackson: works on core streaming API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2022-42003",
"displayName" : "CVE-2022-42003",
"title" : "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42003",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42003?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42003", "https://github.com/FasterXML/jackson-databind/issues/3590", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" ]
}, {
"id" : "CVE-2022-42004",
"displayName" : "CVE-2022-42004",
"title" : "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42004",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42004?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004", "https://github.com/FasterXML/jackson-databind/issues/3582", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" ]
} ]
},
"ch.qos.logback:logback-classic:jar:1.4.3:compile" : {
"coordinates" : "pkg:maven/ch.qos.logback/logback...@1.4.3",
"description" : "Logback: the generic, reliable, fast and flexible logging library for Java.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/ch.qos.logback/logback...@1.4.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackson-a...@2.13.3",
"description" : "Core annotations used for value types, used by Jackson databinding package.",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-a...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"org.apache.logging.log4j:log4j-api:jar:2.19.0:compile" : {
"coordinates" : "pkg:maven/org.apache.logging.log4j/log4...@2.19.0",
"description" : "The Log4J API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4...@2.19.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
},
"log4j:log4j:jar:1.2.17:compile" : {
"coordinates" : "pkg:maven/log4j/lo...@1.2.17",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/log4j/lo...@1.2.17?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2019-17571",
"displayName" : "CVE-2019-17571",
"title" : "[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data",
"description" : "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2019-17571",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571", "https://issues.apache.org/jira/browse/LOG4J2-1863", "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" ]
}, {
"id" : "CVE-2022-23305",
"displayName" : "CVE-2022-23305",
"title" : "[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"description" : "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-89",
"cve" : "CVE-2022-23305",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305", "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2022-23302",
"displayName" : "CVE-2022-23302",
"title" : "[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23302",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302", "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", "https://logging.apache.org/log4j/1.2/index.html" ]
}, {
"id" : "CVE-2022-23307",
"displayName" : "CVE-2022-23307",
"title" : "[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data",
"description" : "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23307",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2021-4104",
"displayName" : "CVE-2021-4104",
"title" : "[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2021-4104",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" ]
}, {
"id" : "sonatype-2010-0053",
"displayName" : "sonatype-2010-0053",
"title" : "1 vulnerability found",
"description" : "1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
"cvssScore" : 7.8,
"cvssVector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-699",
"reference" : "https://ossindex.sonatype.org/vulnerability/sonatype-2010-0053"
} ]
},
"com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackso...@2.13.3",
"description" : "Core Jackson abstractions, basic JSON streaming API implementation",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackso...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
}
},
"vulnerable" : {
"log4j:log4j:jar:1.2.17:compile" : {
"coordinates" : "pkg:maven/log4j/lo...@1.2.17",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/log4j/lo...@1.2.17?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2019-17571",
"displayName" : "CVE-2019-17571",
"title" : "[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data",
"description" : "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2019-17571",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571", "https://issues.apache.org/jira/browse/LOG4J2-1863", "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" ]
}, {
"id" : "CVE-2022-23305",
"displayName" : "CVE-2022-23305",
"title" : "[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"description" : "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 9.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-89",
"cve" : "CVE-2022-23305",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305", "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2022-23302",
"displayName" : "CVE-2022-23302",
"title" : "[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23302",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302", "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", "https://logging.apache.org/log4j/1.2/index.html" ]
}, {
"id" : "CVE-2022-23307",
"displayName" : "CVE-2022-23307",
"title" : "[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data",
"description" : "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.",
"cvssScore" : 8.8,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-23307",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html", "https://logging.apache.org/log4j/2.x/security.html" ]
}, {
"id" : "CVE-2021-4104",
"displayName" : "CVE-2021-4104",
"title" : "[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data",
"description" : "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2021-4104",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" ]
}, {
"id" : "sonatype-2010-0053",
"displayName" : "sonatype-2010-0053",
"title" : "1 vulnerability found",
"description" : "1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
"cvssScore" : 7.8,
"cvssVector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe" : "CWE-699",
"reference" : "https://ossindex.sonatype.org/vulnerability/sonatype-2010-0053"
} ]
},
"com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile" : {
"coordinates" : "pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3",
"description" : "General data-binding functionality for Jackson: works on core streaming API",
"reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-...@2.13.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"vulnerabilities" : [ {
"id" : "CVE-2022-42003",
"displayName" : "CVE-2022-42003",
"title" : "[CVE-2022-42003] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42003",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42003?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42003", "https://github.com/FasterXML/jackson-databind/issues/3590", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" ]
}, {
"id" : "CVE-2022-42004",
"displayName" : "CVE-2022-42004",
"title" : "[CVE-2022-42004] CWE-502: Deserialization of Untrusted Data",
"description" : "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.",
"cvssScore" : 7.5,
"cvssVector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe" : "CWE-502",
"cve" : "CVE-2022-42004",
"reference" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-42004?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1",
"externalReferences" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004", "https://github.com/FasterXML/jackson-databind/issues/3582", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" ]
} ]
}
}
}
I would like to access some of the arrays as well, but my tests don't trigger here at all.
Thanks in advance for any help
Federico Gustavo Galland
Oct 19, 2022, 2:18:04 PM10/19/22
to Wazuh mailing list
Hi There,
The proper way to handle multi line json is through the multi-line-regex log_format.
 <localfile>
  <log_format>multi-line-regex</log_format>
  <location>/var/log/testlog.json</location>
  <multiline_regex replace="wspace">^{</multiline_regex>
 </localfile>
  <log_format>multi-line-regex</log_format>
  <location>/var/log/testlog.json</location>
  <multiline_regex replace="wspace">^{</multiline_regex>
 </localfile>
This should be enough to be able to handle your multiple lines log.
I tested this configuration by annexing your provided log to the /var/log/testlog.json file declared in that config block while checking the archives.json output.
This output a proper single line json in archives, which I then unescaped and tested on our logtest tool.
This log is quite long, so I'm attaching the output of the tool as a text file.
Let me know if this works for you as well.
Federico Gustavo Galland
Oct 20, 2022, 1:50:10 PM10/20/22
to Wazuh mailing list
I've created a sample rule file that generates a basic alert whenever one of these reports is received.
<group name="ossindex,json,">
 <rule id="105000" level="0">
  <decoded_as>json</decoded_as>
  <match>ossindex.sonatype.org</match>
  <description>OSS Index rules grouped</description>
 </rule>
 <rule id="105001" level="3">
  <if_sid>105000</if_sid>
  <match>vulnerabilities</match>
  <description>OSS index Vulnerability Report</description>
 </rule>
</group>
 <rule id="105000" level="0">
  <decoded_as>json</decoded_as>
  <match>ossindex.sonatype.org</match>
  <description>OSS Index rules grouped</description>
 </rule>
 <rule id="105001" level="3">
  <if_sid>105000</if_sid>
  <match>vulnerabilities</match>
  <description>OSS index Vulnerability Report</description>
 </rule>
</group>
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/yJHjlkUnvhg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f885d935-4dc4-4a61-b2f2-fcf882a9d049n%40googlegroups.com.
 |
|
+1 (844) 349 2984
wazuh.com
federico...@wazuh.com
f-gallandReply all
Reply to author
Forward
0 new messages