Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1001684: Davmail should use log4j 2.16 rather than 1.2
96 views
Skip to first unread message
Alain Knaff
Dec 14, 2021, 5:10:03 AM12/14/21
to
Package: davmail
Version: 5.1.0.2891-2
Hi,
According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is
vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16
instead.
Thanks,
--
Alain Knaff
Ingénieur Informaticien
LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG
Ministère de l'Environnement, du Climat et du Développement durable
Administration de l'environnement
1, avenue du Rock'n'Roll . L-4361 Esch-sur-Alzette
Tél. (+352) 40 56 56-309
E-Mail: Alain...@aev.etat.lu
www.emwelt.lu . www.environnement.public.lu . www.luxembourg.lu
Version: 5.1.0.2891-2
Hi,
According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is
vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16
instead.
Thanks,
--
Alain Knaff
Ingénieur Informaticien
LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG
Ministère de l'Environnement, du Climat et du Développement durable
Administration de l'environnement
1, avenue du Rock'n'Roll . L-4361 Esch-sur-Alzette
Tél. (+352) 40 56 56-309
E-Mail: Alain...@aev.etat.lu
www.emwelt.lu . www.environnement.public.lu . www.luxembourg.lu
Alexandre Rossi
Dec 14, 2021, 6:00:03 AM12/14/21
to
tag 1001684 moreinfo
thanks
Hi,
> According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is
> vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16
> instead.
According to the debian security tracker[1], this has been fixed in
log4j so davmail uses a fixed version.
https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2
Do you have exploit code that works against davmail or any other clue
that davmail needs fixing?
Thanks,
Alex
thanks
Hi,
> According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is
> vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16
> instead.
log4j so davmail uses a fixed version.
https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2
Do you have exploit code that works against davmail or any other clue
that davmail needs fixing?
Thanks,
Alex
Alain Knaff
Dec 14, 2021, 6:40:04 AM12/14/21
to
Hi Alexandre,
On 14/12/2021 11:51, Alexandre Rossi wrote:
> tag 1001684 moreinfo
> thanks
>
> Hi,
>
>> According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is
>> vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16
>> instead.
>
> According to the debian security tracker[1], this has been fixed in
> log4j so davmail uses a fixed version.
> https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2
ok that's good news :-)
>
> Do you have exploit code that works against davmail or any other clue
> that davmail needs fixing?
Unfortunately not.
I only stumbled upon this when examining our servers for instances
vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j
versions 1 are not safe either (different vulnerabilities), but without
giving any specifics. However, log4j team itself says versions 1.x are
"end of life" and should be avoided. So, it's more a case of "better be
safe than sorry" than any concrete exploit.
Also, since a while already, Java now has its own internal logging
framework (java.util.logging.Logger), so there should be less and less
reason to use potentially unsafe third-party logging libraries (but
switching to java's internal logging might be more difficult to do in
the short run than just upgrading to a newer version).
>
> Thanks,
>
> Alex
>
Regards,
On 14/12/2021 11:51, Alexandre Rossi wrote:
> tag 1001684 moreinfo
> thanks
>
> Hi,
>
>> According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is
>> vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16
>> instead.
>
> According to the debian security tracker[1], this has been fixed in
> log4j so davmail uses a fixed version.
> https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2
>
> Do you have exploit code that works against davmail or any other clue
> that davmail needs fixing?
I only stumbled upon this when examining our servers for instances
vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j
versions 1 are not safe either (different vulnerabilities), but without
giving any specifics. However, log4j team itself says versions 1.x are
"end of life" and should be avoided. So, it's more a case of "better be
safe than sorry" than any concrete exploit.
Also, since a while already, Java now has its own internal logging
framework (java.util.logging.Logger), so there should be less and less
reason to use potentially unsafe third-party logging libraries (but
switching to java's internal logging might be more difficult to do in
the short run than just upgrading to a newer version).
>
> Thanks,
>
> Alex
>
Regards,
Alexandre Rossi
Dec 14, 2021, 8:20:03 AM12/14/21
to
tag 1001684 -moreinfo +upstream
severity 1001684 wishlist
thanks
> I only stumbled upon this when examining our servers for instances
> vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j
> versions 1 are not safe either (different vulnerabilities), but without
> giving any specifics. However, log4j team itself says versions 1.x are
> "end of life" and should be avoided. So, it's more a case of "better be
> safe than sorry" than any concrete exploit.
>
> Also, since a while already, Java now has its own internal logging
> framework (java.util.logging.Logger), so there should be less and less
> reason to use potentially unsafe third-party logging libraries (but
> switching to java's internal logging might be more difficult to do in
> the short run than just upgrading to a newer version).
I'll try to report this upstream.
Alex
severity 1001684 wishlist
thanks
> I only stumbled upon this when examining our servers for instances
> vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j
> versions 1 are not safe either (different vulnerabilities), but without
> giving any specifics. However, log4j team itself says versions 1.x are
> "end of life" and should be avoided. So, it's more a case of "better be
> safe than sorry" than any concrete exploit.
>
> Also, since a while already, Java now has its own internal logging
> framework (java.util.logging.Logger), so there should be less and less
> reason to use potentially unsafe third-party logging libraries (but
> switching to java's internal logging might be more difficult to do in
> the short run than just upgrading to a newer version).
Alex
Geert Stappers
Dec 14, 2021, 10:10:03 AM12/14/21
to
On Tue, Dec 14, 2021 at 08:52:50AM +0100, Ole Holm Nielsen via Davmail-users wrote:
> Hi,
>
> We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9.
> However, it's only a few days ago that the Vulnerability in Apache Log4j
> (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j
> component:
>
> $ rpm -ql davmail | grep log4j
> /usr/share/davmail/lib/log4j-1.2.16.jar
> /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar
>
> Question: Is davmail vulnerable to log4j? If so, when could we expect a
> security fix?
Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#22
Debian maintainer of Davmail, Alexandre Rossi:
> Also, since a while already, Java now has its own internal logging
> framework (java.util.logging.Logger), so there should be less and
> less reason to use potentially unsafe third-party logging libraries
> (but switching to java's internal logging might be more difficult
> to do in the short run than just upgrading to a newer version).
I'll try to report this upstream.
And I hope this helps
Groeten
Geert Stappers
--
Silence is hard to parse
> Hi,
>
> We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9.
> However, it's only a few days ago that the Vulnerability in Apache Log4j
> (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j
> component:
>
> $ rpm -ql davmail | grep log4j
> /usr/share/davmail/lib/log4j-1.2.16.jar
> /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar
>
> Question: Is davmail vulnerable to log4j? If so, when could we expect a
> security fix?
Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#22
Debian maintainer of Davmail, Alexandre Rossi:
> Also, since a while already, Java now has its own internal logging
> framework (java.util.logging.Logger), so there should be less and
> less reason to use potentially unsafe third-party logging libraries
> (but switching to java's internal logging might be more difficult
> to do in the short run than just upgrading to a newer version).
I'll try to report this upstream.
Groeten
Geert Stappers
--
Silence is hard to parse
Alexandre Rossi
Dec 14, 2021, 11:10:03 AM12/14/21
to
Hi,
> > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9.
> > However, it's only a few days ago that the Vulnerability in Apache Log4j
> > (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j
[...]
> > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9.
> > However, it's only a few days ago that the Vulnerability in Apache Log4j
> > (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j
> > Question: Is davmail vulnerable to log4j? If so, when could we expect a
> > security fix?
>
> Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#22
> Debian maintainer of Davmail, Alexandre Rossi:
>
> > Also, since a while already, Java now has its own internal logging
> > framework (java.util.logging.Logger), so there should be less and
> > less reason to use potentially unsafe third-party logging libraries
> > (but switching to java's internal logging might be more difficult
> > to do in the short run than just upgrading to a newer version).
>
> I'll try to report this upstream.
To clarify the log4j1 situation, it appears that it is not vulnerable
> > security fix?
>
> Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#22
> Debian maintainer of Davmail, Alexandre Rossi:
>
> > Also, since a while already, Java now has its own internal logging
> > framework (java.util.logging.Logger), so there should be less and
> > less reason to use potentially unsafe third-party logging libraries
> > (but switching to java's internal logging might be more difficult
> > to do in the short run than just upgrading to a newer version).
>
> I'll try to report this upstream.
unless you use JMSAppender which davmail does not.
(there is also CVE-2019-17571 with SocketAppender which is disabled
but usable in davmail).
To clarify the Debian situation, the Debian package does not use the
embedded jar but the system shared jar.
In the case of davmail, I would say that there is a good chance that
the current provided compiled zip in 6.0.1 is not vulnerable to
CVE-2021-44228 because it does not use JMSAppender.
Alex
Geert Stappers
Dec 14, 2021, 1:10:04 PM12/14/21
to
On Tue, Dec 14, 2021 at 06:23:29PM +0100, Mickaël Guessant wrote:
To: davmai...@lists.sourceforge.net
> > Ole
> >
> The good news is that DavMail is *not* vulnerable to latest Log4J 2 CVE as
> it depends on log4J version 1.
FWIW: That matches https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#38
> Regards,
> Mickaël Guessant
@Alexandre: FYI, your message didn't yet reach Davmail mailinglist subscribers.
Groeten
Geert Stappers
--
Silence is hard to parse
To: davmai...@lists.sourceforge.net
> Le 14/12/2021 à 08:52, Ole Holm Nielsen via Davmail-users a écrit :
> > Hi,
> >
> > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS
> > 7.9. However, it's only a few days ago that the Vulnerability in Apache
> > Log4j (CVE-2021-44228-Log4j) was announced. We note that Davmail
> > Hi,
> >
> > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS
> > 7.9. However, it's only a few days ago that the Vulnerability in Apache
> > Log4j (CVE-2021-44228-Log4j) was announced. We note that Davmail
> > includes a log4j component:
> >
> > $ rpm -ql davmail | grep log4j
> > /usr/share/davmail/lib/log4j-1.2.16.jar
> > /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar
> >
> >
> > $ rpm -ql davmail | grep log4j
> > /usr/share/davmail/lib/log4j-1.2.16.jar
> > /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar
> >
> > Question: Is davmail vulnerable to log4j? If so, when could we expect a
> > security fix?
> >
> > Thanks,
> > security fix?
> >
> > Ole
> >
> The good news is that DavMail is *not* vulnerable to latest Log4J 2 CVE as
> it depends on log4J version 1.
FWIW: That matches https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#38
> Regards,
> Mickaël Guessant
@Alexandre: FYI, your message didn't yet reach Davmail mailinglist subscribers.
Groeten
Geert Stappers
--
Silence is hard to parse
0 new messages