Add a post on the state of the log4j CVE in the Scala ecosystem. #1315
Conversation
sjrd
force-pushed
the
blog-log4j
branch
2 times, most recently
from
34647b8 to
6dc442f
Compare
Do you have an example/draft of what you have in mind? |
|
I saw this floating around on twitter today: https://github.com/stripe/log4j-remediation-tools But neither tried it nor looked at it in any depth. |
Something along the lines of: ConclusionThe log4j vulnerabilities shook our community and reminded us how dependent we all are on open source software. Please do not hesitate to update this post with libraries and tools vulnerable to the CVEs and to propose tools to help address them. |
|
Thanks. I added your suggestions. |
|
LGTM. I only wonder if we can also include a small snippet with an sbt task (or piece of code to run in sbt console) to filter |
My intuition would be to use |
|
|
||
| Two very widespread vulnerabilities in log4j v2 are wreaking havoc in the JVM ecosystem. | ||
| The vulnerabilities are registered as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046). | ||
|
|
There was a problem hiding this comment.
| The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors. For further technical guidance, see [Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) for example. | |
|
|
||
| ## Useful sbt tasks and settings | ||
|
|
||
| If your application is written in sbt, which is common in the Scala ecosystem, here are some information on how to identify the classpath of your application, and how to force an upgrade of the log4j dependencies. |
There was a problem hiding this comment.
s/written in sbt/built with sbt/
There was a problem hiding this comment.
s/identify the classpath/determine the classpath/
| [success] Total time: 0 s, completed Dec 16, 2021 11:07:28 AM | ||
| ``` | ||
|
|
||
| With older versions of sbt, the command looks like |
There was a problem hiding this comment.
How old, exactly? ("version x.y or earlier")
There was a problem hiding this comment.
| With older versions of sbt, the command looks like | |
| Prior to sbt 1.1.0, the command looks like |
| | Artifact or tool name | Fixed in version | | ||
| |-----------------------|------------------| | ||
| | sbt | 1.5.7 | |
There was a problem hiding this comment.
| | Artifact or tool name | Fixed in version | | |
| |-----------------------|------------------| | |
| | sbt | 1.5.7 | | |
| | Artifact or tool name | Affected versions | Fixed in version | | |
| |----------------------|------------------|------------------| | |
| | sbt | 1.x < 1.5.7 | 1.5.7 | | |
| Log4j is not enabled by default since sbt 1.4.0, but all users are recommended to upgrade to the latest fixed version. Any organization using sbt as part of CI/CD (continuous integration and delivery), automated publishing, and projects that expose TCP/IP entry point during testing may be most vulnerable to an exploit. |
|
|
||
| ### `fullClasspath` | ||
|
|
||
| The task `fullClasspath`, properly scoped to a project and a configuration, gives the final, full classpath with which your project is executed. |
There was a problem hiding this comment.
Should we recommend externalClasspath instead? For a large project, this would cut down some noise coming from internal (other subprojects) classpath.
There was a problem hiding this comment.
I added a sentence to suggest externalClasspath in some cases for large builds. Let me know if it looks accurate to you.
|
Updated with your suggestions. |
|
Thanks for the reviews. I'll merge it now, but further comments and updates are of course very welcome. |
|
|
||
| A project is affected by the log4j vulnerabilities if it contains a vulnerable version of a log4j artifact on its classpath. | ||
|
|
||
| You may find below a non-comprenhensive list of core Scala tools and libraries known to be affected by the vulnerability, and in which version (if any) it is addressed. |
Also cc @romanowski , @tgodzik , @lrytz
Also if there are library maintainers who would like to share the status of their libraries, feel free to say so.