Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Stable Docker image still has a log4j vulnerability due to Webswing
See original GitHub issueDescribe the bug The Webswing 21.1.5 package contains log4j 2.13.2 as evidenced by a scan with the Trivy tool.
# trivy fs --ignore-unfixed --severity HIGH,CRITICAL webswing
2021-12-16T15:24:09.477Z INFO Detected OS: unknown
2021-12-16T15:24:09.477Z INFO Number of PL dependency files: 4
2021-12-16T15:24:09.477Z INFO Detecting jar vulnerabilities...
admin/webswing-admin-server.war
===============================
Total: 2 (HIGH: 0, CRITICAL: 2)
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.13.2 | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+-------------------------------------+ + + + + +
| org.apache.logging.log4j:log4j-core | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
webswing-server.war
===================
Total: 2 (HIGH: 0, CRITICAL: 2)
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | CRITICAL | 2.13.2 | 2.15.0 | log4j-core: Remote code execution |
| | | | | | in Log4j 2.x when logs contain |
| | | | | | an attacker-controlled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 |
+-------------------------------------+ + + + + +
| org.apache.logging.log4j:log4j-core | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
To Reproduce Steps to reproduce the behavior:
- Build the image from Dockerfile-stable
- Scan the image with Trivy, see similar output to above
In order to diagnose that this was webswing, I additionally ran a shell inside the image locally on my laptop and pulled down a copy of Trivy via the shell based installer: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
Then I ran trivy from inside the image as above and you can see the same output.
Expected behavior The scan should pass. This scan happens in our CI pipelines and prevents the release of vulnerable images to our private image registry.
Software versions
- ZAP: 2.11.1
- Add-on: Webswing 21.1.5
- OS: Linux (Docker Image)
- Java: OpenJDK 8
- Browser: N/A
Errors from the zap.log file N/A
Additional context The latest webswing version 21.2.4 fixed this.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks for reporting this! We’ll get on it right away…
Changes merged, regenerating all of the docker images that include WebSwing …