logpresso identifies CVE-2021-4104

[fipro78]

I downloaded reload4j 1.2.18.4 from Maven Central and executed logpresso [1] on it via

log4j2-scan --scan-log4j1 reload4j-1.2.18.4.jar

I get the following output:

[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in C:\Users\xxx\Downloads\reload4j\reload4j-1.2.18.4.jar, log4j N/A

Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 1 potentially vulnerable files
Found 0 mitigated files
Completed in 0.01 seconds

I don't know how logpresso actually works to identify the issue. But as the intention of reload4j is to fix CVE-2021-4104, there seems to be some inconsistency. Not sure if the ticket is placed correctly here or if it should be opened in the logpresso repository. Any insights would be helpful to get a consistent view on the fix provided via reload4j to avoid confusions.

[1] https://github.com/logpresso/CVE-2021-44228-Scanner

[ceki]

@fipro78 CVE-2021-4104 has been fixed by hardening JMSAppender and not by removal. Is log4j2-scan checking for the removal of JMSAppender?

[fipro78]

To be honest, I have no idea as I am just a user. But I have now also opened a ticket in logpresso. Maybe this way a communication can be established to solve the issue together.

logpresso/CVE-2021-44228-Scanner#271

[123Haynes]

I think logpresso currently only checks if the JMSAppender class exists in the codebase and shows that output without checking it further.

See
https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/src/main/java/com/logpresso/scanner/Detector.java#L280
and
https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/src/main/java/com/logpresso/scanner/Detector.java#L352-L353

[fipro78]

logpresso added a special handling for reload4j, so this issue can be closed.