Wildfly triggers Vulnerability Apache Log4j SEoL (<= 1.x) - false positive ?
64 views
Skip to first unread message
jvi...@gmail.com
Jul 21, 2025, 3:53:53 AMJul 21
to WildFly
A tenable scan of our system with wildfly (currently version 35) triggered a new vulnerabilty.
https://www.tenable.com/plugins/nessus/182252
Triggered by:
Path : /var/lib/wildfly/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.3.0.Final.jar
Installed version : 1.3.0
Security End of Life : August 5, 2015
Time since Security End of Life (Est.) : >= 9 years
and
https://www.tenable.com/plugins/nessus/156860
Path : /var/lib/wildfly/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.3.0.Final.jar
Installed version : 1.3.0
Path : /var/lib/wildfly/modules/system/layers/base/org/jboss/logmanager/log4j2/main/log4j2-jboss-logmanager-1.1.1.Final.jar
Installed version : 1.1.1
I believe these are false positives because these modules are maintained by the wildfly team right ?
I suppose other users might be affected by these kinds of scan results as well. It would be great to have some clarification from the wildfly team that their fork of log4j is not vulnerable to these issues so we can convince tenable support to remove the flagging of these libraries.
Otherwise it is hard to justify a "Critical" issue in our software to customers.
https://www.tenable.com/plugins/nessus/182252
Triggered by:
Path : /var/lib/wildfly/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.3.0.Final.jar
Installed version : 1.3.0
Security End of Life : August 5, 2015
Time since Security End of Life (Est.) : >= 9 years
and
https://www.tenable.com/plugins/nessus/156860
Path : /var/lib/wildfly/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.3.0.Final.jar
Installed version : 1.3.0
Path : /var/lib/wildfly/modules/system/layers/base/org/jboss/logmanager/log4j2/main/log4j2-jboss-logmanager-1.1.1.Final.jar
Installed version : 1.1.1
I believe these are false positives because these modules are maintained by the wildfly team right ?
I suppose other users might be affected by these kinds of scan results as well. It would be great to have some clarification from the wildfly team that their fork of log4j is not vulnerable to these issues so we can convince tenable support to remove the flagging of these libraries.
Otherwise it is hard to justify a "Critical" issue in our software to customers.
Bartosz Baranowski
Jul 23, 2025, 3:26:08 AMJul 23
to WildFly
Hmm. And vulnerability is "old artifact" ?
Also, links provided hint "Apache Log4j".
As to logmanager, AFAIR James is handling it, ie: https://github.com/jboss-logging/log4j-jboss-logmanager/commit/09a08ed8c059dcf75b57d741b6c3809282ada84f
Also, links provided hint "Apache Log4j".
As to logmanager, AFAIR James is handling it, ie: https://github.com/jboss-logging/log4j-jboss-logmanager/commit/09a08ed8c059dcf75b57d741b6c3809282ada84f
jvi...@gmail.com
Jul 24, 2025, 9:54:54 AMJul 24
to WildFly
The vulnerabilites flagged are several CVEs related to log4j:
- Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited. (CVE-2019-17571)
- Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. (CVE-2020-9488)
- JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker.
(CVE-2022-23302)
- Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited. (CVE-2019-17571)
- Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. (CVE-2020-9488)
- JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker.
(CVE-2022-23302)
James Perkins
Jul 25, 2025, 12:30:29 PMJul 25
to WildFly
I'll start with saying log4j is no longer supported in newer versions of WildFly and our suggestion is to migrate off of log4j to either log4j 2 or some other logging facade.
As to these specific questions, these are all be fixed in 1.3.0.Final of the log4j-jboss-logmanager. See https://github.com/jboss-logging/log4j-jboss-logmanager/releases/tag/1.3.0.Final for the details.
jvi...@gmail.com
Sep 1, 2025, 3:36:30 AMSep 1
to WildFly
It seems tenable fixed that, wildfly libs are no longer flagged for these issues
Thanks
Thanks
Reply all
Reply to author
Forward
0 new messages