GHSA-3W6P-8F82-GW8R

Vulnerability from github – Published: 2021-12-17 20:42 – Updated: 2021-12-17 20:34
VLAI?
Summary
Using JMSAppender in log4j configuration may lead to deserialization of untrusted data
Details

Impact

ClickHouse JDBC Bridge uses slf4j-log4j12 1.7.32, which depends on log4j 1.2.17. It allows a remote attacker to execute code on the server, if you changed default log4j configuration by adding JMSAppender and an insecure JMS broker.

Patches

The patch version 2.0.7 removed log4j dependency by replacing slf4j-log4j12 to slf4j-jdk14. Logging configuration is also changed from log4j.properties to logging.properties.

Workarounds

  1. Do NOT change log4j configuration to use JMSAppender along with insecure JMS broker
  2. Alternatively, you can issue below command to remove JMSAppender.class:

```(bash)

install zip command if you don't have

apt-get update && apt-get install -y zip

remove the class

zip -d clickhouse-jdbc-bridge*.jar ru/yandex/clickhouse/jdbcbridge/internal/log4j/net/JMSAppender.class ```

References

Please refer to CVE-2021-4104 to read more.

For more information

If you have any questions or comments about this advisory, please feel free to open an issue in the repository.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ru.yandex.clickhouse:clickhouse-jdbc-bridge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-17T20:34:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nClickHouse JDBC Bridge uses [slf4j-log4j12 1.7.32](https://repo1.maven.org/maven2/org/slf4j/slf4j-log4j12/1.7.32/), which depends on [log4j 1.2.17](https://repo1.maven.org/maven2/log4j/log4j/1.2.17/). It allows a remote attacker to execute code on the server, if you changed default log4j configuration by adding JMSAppender and an insecure JMS broker.\n\n### Patches\n\nThe patch version `2.0.7` removed log4j dependency by replacing `slf4j-log4j12` to `slf4j-jdk14`. Logging configuration is also changed from `log4j.properties` to `logging.properties`.\n\n### Workarounds\n\n1. Do NOT change log4j configuration to use JMSAppender along with insecure JMS broker\n2. Alternatively, you can issue below command to remove `JMSAppender.class`:\n\n```(bash)\n# install zip command if you don\u0027t have\napt-get update \u0026\u0026 apt-get install -y zip\n# remove the class\nzip -d clickhouse-jdbc-bridge*.jar ru/yandex/clickhouse/jdbcbridge/internal/log4j/net/JMSAppender.class\n```\n\n### References\n\nPlease refer to [CVE-2021-4104](https://access.redhat.com/security/cve/CVE-2021-4104) to read more.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please feel free to open an issue in the repository.\n",
  "id": "GHSA-3w6p-8f82-gw8r",
  "modified": "2021-12-17T20:34:04Z",
  "published": "2021-12-17T20:42:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ClickHouse/clickhouse-jdbc-bridge/security/advisories/GHSA-3w6p-8f82-gw8r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ClickHouse/clickhouse-jdbc-bridge"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Using JMSAppender in log4j configuration may lead to deserialization of untrusted data"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.