Apache Log4j version 2.25.3??

[Steven Gabriel]

Current release of ZAP 2.17.0 -  contains log4j-core-2.25.2.

As this is becoming a hot item -  I am seeing developer talk of 2.17.2 downloads which will have the latest 2.25.3 fix applied.   Is this true and when is ZAP going to produce a download update to apply?  Or is this available via the Application itself.

Steve

[kingthorin+zap]

I'm curious, where are you seeing this developer talk about 2.17.2?

[Steven Gabriel]

Ive did a few google searches for 2.25.3 and Apache itself has suggested a 2.17.2 download, Ive seen another one of 2.17.1 download. from Maven Repositories - sites of course that Im am not familiar with and hesitate to go further

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/d51f4ae1-3b34-467b-b93d-125e42053f39n%40googlegroups.com.

[Simon Bennetts]

We have not discussed a 2.17.1 release in the ZAP Core Team, let alone 2.17.2 :)

What vulnerability in the log4j-core-2.25.2 are you concerned about, and how do you think it makes ZAP vulnerable?

Cheers,

Simon

[Steven Gabriel]

Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE

Description

The version of Apache Log4j on the remote host is 2.0 < 2.3.2, 2.4 < 2.12.4, or 2.13 < 2.17.1. It is, therefore, affected by a remote code execution vulnerability. Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Log4j version 2.17.1, 2.12.4, or 2.3.2 or later, or apply the vendor mitigation.========================Sorry for the font - but current version of ZAP has version 2.17.0 versions of log4j - thus Nessus is tagging this as a finding...Question is when will ZAP be update to resolve said finding

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/db9dd661-cc99-4cb7-9f3f-44b4032b1100n%40googlegroups.com.

[Simon Bennetts]

"vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code"

If an attacker can change the ZAP logging configuration then you are already compromised.

I do not think that this vulnerability impacts ZAP, and so I do not think we need to release a new version to "fix" it.

Cheers,

Simon

[Steven Gabriel]

Thanks Simon - I'll pass this answer onto my security team 

Cheers

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/e17315bc-7de0-4f3d-8b6f-d734abe804afn%40googlegroups.com.