Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-planning-council] [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?

Alexander,

Thank you for the analysis and sorry that  your component is the center of such negative attention through not fault of your own...

I looked at how Passage is using the logging facilities, using your Oomph setup for provisioning an IDE.  Attached are the search results of all the places where content is logged.

Based on this, the primary concern would be if the message text of an exception included an offensive string  such as ${jndi:ldap://127.0.0.1/a}.  I expect that more than a little creativity would be involved to exploit that given an attacker would need to coerce the client to visit sites it would not generally visit on its own, or do some kind of man-in-the-middle attack to intercept a legitimate site accessed via a non-secure protocol, and then likely the URL itself would need to contain such a string for it to end up in the exception message.  It's quite far fetched, but as you say, time and creativity conquers all...

Certainly clients using the Passage runtime for past releases and for the 2021-12 release (the Passage 2.2.0 release) should upgrade to the Passage 2.2.1 release:

    https://download.eclipse.org/passage/drops/release/2.2.1-R

My sense though is that there is no (significant) risk in a tooling environment, i.e., in a running RCP/RAP IDE package.

Does the above seem like a fair and reasonable assessment?

Regards,
Ed


On 12.12.2021 17:22, Alexander Fedorov wrote:
Ed,

Eclipse Passage 2.2.1 is published at https://download.eclipse.org/passage/updates/release/2.2.1/ldc/,

> Will you set the lower bound to force the fixed version and to disallow the older version?

yes, org.apache.logging.log4j;bundle-version="2.15.0"

> Only you know how Passage uses the logging facility to know if there is in actual fact a risk.  I.e., is Passage actually logging information obtained from an internet connection and is that actually enabled/activated in the RCP/RAP package itself?

Nothing during scenarios that are activated for "host" RCP/RAP package. Currently Passage just creates the plug-in projects with license checks configured, using standard PDE facilities

> I could see nothing that appears to be related to Passage in an IDE into which I installed Passage, i.e., no preferences, no wizards, no views, nothing obvious.

Thank you for feedback, Passage has "Welcome" entries and PDE wizards for "Create RCP + UI" mode, but it definitely needs to be more discoverable. The fresh request we have is to support Market Place Client with license checks before installation and this is pretty doable with the sufficient p2 metadata published.

> Is it perhaps the case that the security problems would only manifest themselves in applications where Passage is deployed at runtime for licensing control of that application? 

Yes, theoretically, security problems can be caused by a very skilled attacker for runtime instances of user-created applications where license check will be triggered.
No idea how robust the org.apache.logging.log4j.core/lookup.JndiLookup class is, but if we assume that logged data could realize the threat - it becomes a matter of time and creativity.

Regards,
AF

12/12/2021 4:07 PM, Ed Merks пишет:

Alexander,

Will you set the lower bound to force the fixed version and to disallow the older version?

If only the installer and its product catalogs were involved, I could fix the problem easily by adding an update site and forcing the version range to install the fixed version.  I wouldn't even need a new version of Passage to force/fix that...

But we're also talking about the release train repository, which would need a respin.  Unfortunately there are updates in the SimRel repo after the 2021-12 tag:

Some of those will be needed because the https://download.eclipse.org/eclipse/updates/4.22-I-builds repository is gone.  Hopefully other projects contributed stable repositories with unchanging released content rather than pointing at "moving target" that has changed its content since the release.

If we decide we need to do a respin and we accomplish that, then EPP needs to respin as well.   This will be something the Planning Council will need to discuss and to decide which actions to take.

Only you know how Passage uses the logging facility to know if there is in actual fact a risk.  I.e., is Passage actually logging information obtained from an internet connection and is that actually enabled/activated in the RCP/RAP package itself?  I.e., does what Jens Lideström   outlined apply?  (Thanks Jens!)  If not, then perhaps we're unduly alarmed.  I could see nothing that appears to be related to Passage in an IDE into which I installed Passage, i.e., no preferences, no wizards, no views, nothing obvious.   Is it perhaps the case that the security problems would only manifest themselves in applications where Passage is deployed at runtime for licensing control of that application? 

Please try to outline the risk factors of Passage's development tools being installed in a IDE application to help inform the Planning Council in making a decision.

P.S., Passage in the only component on the 2021-12 train that is affected; I cannot comment on all Eclipse-distributed content in general...

Regards,
Ed

On 12.12.2021 11:04, Alexander Fedorov wrote:
Passage Team is working to provide Eclipse Passage 2.2.1 that will consume fixed logger from  https://download.eclipse.org/tools/orbit/downloads/drops2/I20211211225428/repository

Ed, how could we then provide an update for released SimRel 2021-12?

Regards,
AF

P.S. I'm really surprised to have the only component affected after having org.apache.logging.log4j 2.8.2 published in Eclipse Orbit starting from 2020-09 (6 releases).



12/12/2021 12:41 PM, Ed Merks пишет:

Just to avoid any confusion such as that which Ed Willink mentioned, the https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 issue is specifically about the class org.apache.logging.log4j.core/lookup.JndiLookup.which is not in a package provided by org.apache.log4j but rather in a package provided by org.apache.logging.log4j as illustrated here in a CBI p2 aggregator repo view:

Based on the analysis tool I've been developing for better managing SimRel, e.g., to provide traceability and dependency analysis, it's definitely the case that only Passage depends on this bundle:


Specifically via bundle requirements (as opposed to package requirements):


Those requirements have no upper bound, only an inclusive lower bound, such that they will resolve and use any higher version of org.apache.logging.log4j.  As such, installing Passage with https://download.eclipse.org/tools/orbit/downloads/drops2/I20211211225428/repository in the available sites and enabling to use those, does install the newer version:


The bad news is that the RCP/RAP package contains Passage and hence the bad version of the org.apache.logging.log4j bundle.

What's not clear is whether Passage actually logs messages whose content can be externally subverted/exploited via contact to the web and whether such actions are activity is actually enabled by default, e.g., in the RCP/RAP package...

Regards,
Ed


On 11.12.2021 20:48, Gunnar Wagenknecht wrote:
Thanks Matthias!

According to Wayne, 2.15 has already been vetted and is good for use:

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/



On Dec 11, 2021, at 20:36, Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:

On Sat, Dec 11, 2021 at 11:35 AM Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:
Alexander,

On Dec 11, 2021, at 10:16, Alexander Fedorov <alexander.fedorov@xxxxxxxxxx> wrote:
It would be great to learn vulnerability clean-up process with Eclipse Orbit team to then apply it to Eclipse Passage.


There is no Orbit team. Orbit is driven by project committers using/needing libraries in Orbit.
I encourage the Eclipse Passage project to submit a Gerrit review for a newer version.

considering the buzz around this vulnerability I went ahead and pushed an update to log4j 2.15 for orbit
note that the required clearlydefined score isn't reached yet, if this doesn't change soon
maybe someone can contribute the missing information to clearlydefined or
we file CQs to get the license approval for the new version
 
You can also try a new way as described by Mickael here:

-Gunnar
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev



_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


org.eclipse.passage.lbc.base
src
org
eclipse
passage
lbc
internal
base
acquire
AcquiredGrantsStorage.java (2 matches)
74:  log.error(String.format("FLS feature %s is not covered by a license", feature)); //$NON-NLS-1$  
113:  log.debug(String.format("|%s| acquisiiton [%s] for user %s on feature %s product %s v%s", //$NON-NLS-1$  
Acquisition.java
54:  log.error("failed: ", e); //$NON-NLS-1$  
FeatureGrants.java (3 matches)
61:  log.error(String.format("Failed on gathering grants for product %s", product)); //$NON-NLS-1$  
66:  log.error(String.format("Failed on gathering grants for product %s", product), e); //$NON-NLS-1$  
84:  log.error(e);  
LicensePacks.java
74:  log.error("failed: ", e); //$NON-NLS-1$  
ProtectedGrantCapacity.java
46:  log.error(String.format("Due to insufficient license coverage capacity for grant [%s] decreased to %d", //$NON-NLS-1$  
mine
Conditions.java (2 matches)
45:  log.debug(String.format("Mining conditions for product %s", data.product().get())); //$NON-NLS-1$  
55:  log.error(new DiagnosticExplained(conditions.diagnostic()).get());  
ReassemblingMiningTool.java
70:  log.error("failed: ", e); //$NON-NLS-1$  
AuthentifiedChoreDraft.java (2 matches)
54:  log.error("Failed on server authentication attempt: ", e); //$NON-NLS-1$  
65:  log.error(String.format("Key file [%s] is not found", product)); //$NON-NLS-1$  
org.eclipse.passage.lic.equinox
src
org
eclipse
passage
lic
equinox
GearAware.java (2 matches)
42:  log.error(e);  
46:  log.error("No reference of service " + supplier().getName()); //$NON-NLS-1$  
org.eclipse.passage.lic.execute
src
org
eclipse
passage
lic
execute
DefaultFramework.java
72:  log.debug(String.format("%s runs for %s", //$NON-NLS-1$  
org.eclipse.passage.lic.jetty
src
org
eclipse
passage
lic
internal
jetty
interaction
LicenseProtection.java (2 matches)
69:  log.error("Failed to read product credentials", e); //$NON-NLS-1$  
77:  log.error(String.format(//  
ServerHandles.java (3 matches)
48:  log.error("failed to launch Jetty server", e); //$NON-NLS-1$  
57:  log.error("failed to terminate Jetty server", e); //$NON-NLS-1$  
70:  log.error("failed to report state of Jetty server", e); //$NON-NLS-1$  
JettyServer.java (3 matches)
41:  log.info(String.format(Messages.started, port.get().get()));  
52:  log.info(String.format(Messages.stopped));  
71:  log.error(message, e);  
org.eclipse.passage.lic.jface
src
org
eclipse
passage
lic
internal
jface
dialogs
licensing
AgreementsWizard.java
66:  log.error(e);  
org.eclipse.passage.lic.net
src
org
eclipse
passage
lic
internal
net
connect
Port.java
40:  log.error("failed: ", e); //$NON-NLS-1$ ;  
Storage.java (3 matches)
51:  log.error(String.format("Failed to create absent license storage directory %s", path.toAbsolutePath())); //$NON-NLS-1$ ;  
56:  log.error(String.format("License storage must be a directory: %s ", path.toAbsolutePath())); //$NON-NLS-1$ ;  
60:  log.error(String.format("Lack of access rights - directory is not executable: %s ", path.toAbsolutePath())); //$NON-NLS-1$ ;  
handle
ChoreDraft.java (2 matches)
43:  log.error("failed: ", e); //$NON-NLS-1$ ;  
63:  log.error("failed: ", e); //$NON-NLS-1$ ;  
org.eclipse.passage.loc.licenses.core
src
org
eclipse
passage
loc
internal
licenses
core
issue
ClosedValidityPeriodReduction.java (2 matches)
48:  log.warn(String.format(ReductionMessages.ClosedValidityPeriodReduction_reduction_validityperiod_length,  
50:  log.warn(String.format(ReductionMessages.ClosedValidityPeriodReduction_reduction_validityperiod_allowed,  
FeatureGrantCapacityReduction.java (2 matches)
30:  log.warn(String.format(ReductionMessages.FeatureGrantCapacityReduction_reduction_featuregrant_capacity,  
32:  log.warn(String.format(ReductionMessages.FeatureGrantCapacityReduction_reduction_featuregrant_feature,  
UserGrantsAmountReduction.java (2 matches)
31:  log.warn(String.format(ReductionMessages.UserGrantsAmountReduction_reduction_usergrant_amount, amount));  
34:  log.warn(String.format(ReductionMessages.UserGrantsAmountReduction_reduction_usergrant_user,  
LicenseSignature.java
54:  log.error(new DiagnosticExplained(diagnostic).get());  
org.eclipse.passage.loc.operator.seal
src
org
eclipse
passage
loc
operator
seal
OperatorFramework.java
74:  log.debug(String.format("%s runs for %s", //$NON-NLS-1$  
org.eclipse.passage.loc.products.core
src
org
eclipse
passage
loc
internal
products
core
ConvertedKeys.java
147:  log.info(String.format(//  
ProductVersionKeys.java
144:  log.error("", e); //$NON-NLS-1$  
org.eclipse.passage.loc.workbench.emfforms
src
org
eclipse
passage
loc
workbench
emfforms
renderers
ConditionTypeRenderer.java
53:  log.error(e);  
org.eclipse.passage.root
bundles
org.eclipse.passage.lbc.base
src
org
eclipse
passage
lbc
internal
base
acquire
AcquiredGrantsStorage.java (2 matches)
74:  log.error(String.format("FLS feature %s is not covered by a license", feature)); //$NON-NLS-1$  
113:  log.debug(String.format("|%s| acquisiiton [%s] for user %s on feature %s product %s v%s", //$NON-NLS-1$  
Acquisition.java
54:  log.error("failed: ", e); //$NON-NLS-1$  
FeatureGrants.java (3 matches)
61:  log.error(String.format("Failed on gathering grants for product %s", product)); //$NON-NLS-1$  
66:  log.error(String.format("Failed on gathering grants for product %s", product), e); //$NON-NLS-1$  
84:  log.error(e);  
LicensePacks.java
74:  log.error("failed: ", e); //$NON-NLS-1$  
ProtectedGrantCapacity.java
46:  log.error(String.format("Due to insufficient license coverage capacity for grant [%s] decreased to %d", //$NON-NLS-1$  
mine
Conditions.java (2 matches)
45:  log.debug(String.format("Mining conditions for product %s", data.product().get())); //$NON-NLS-1$  
55:  log.error(new DiagnosticExplained(conditions.diagnostic()).get());  
ReassemblingMiningTool.java
70:  log.error("failed: ", e); //$NON-NLS-1$  
AuthentifiedChoreDraft.java (2 matches)
54:  log.error("Failed on server authentication attempt: ", e); //$NON-NLS-1$  
65:  log.error(String.format("Key file [%s] is not found", product)); //$NON-NLS-1$  
org.eclipse.passage.lic.equinox
src
org
eclipse
passage
lic
equinox
GearAware.java (2 matches)
42:  log.error(e);  
46:  log.error("No reference of service " + supplier().getName()); //$NON-NLS-1$  
org.eclipse.passage.lic.execute
src
org
eclipse
passage
lic
execute
DefaultFramework.java
72:  log.debug(String.format("%s runs for %s", //$NON-NLS-1$  
org.eclipse.passage.lic.jetty
src
org
eclipse
passage
lic
internal
jetty
interaction
LicenseProtection.java (2 matches)
69:  log.error("Failed to read product credentials", e); //$NON-NLS-1$  
77:  log.error(String.format(//  
ServerHandles.java (3 matches)
48:  log.error("failed to launch Jetty server", e); //$NON-NLS-1$  
57:  log.error("failed to terminate Jetty server", e); //$NON-NLS-1$  
70:  log.error("failed to report state of Jetty server", e); //$NON-NLS-1$  
JettyServer.java (3 matches)
41:  log.info(String.format(Messages.started, port.get().get()));  
52:  log.info(String.format(Messages.stopped));  
71:  log.error(message, e);  
org.eclipse.passage.lic.jface
src
org
eclipse
passage
lic
internal
jface
dialogs
licensing
AgreementsWizard.java
66:  log.error(e);  
org.eclipse.passage.lic.net
src
org
eclipse
passage
lic
internal
net
connect
Port.java
40:  log.error("failed: ", e); //$NON-NLS-1$ ;  
Storage.java (3 matches)
51:  log.error(String.format("Failed to create absent license storage directory %s", path.toAbsolutePath())); //$NON-NLS-1$ ;  
56:  log.error(String.format("License storage must be a directory: %s ", path.toAbsolutePath())); //$NON-NLS-1$ ;  
60:  log.error(String.format("Lack of access rights - directory is not executable: %s ", path.toAbsolutePath())); //$NON-NLS-1$ ;  
handle
ChoreDraft.java (2 matches)
43:  log.error("failed: ", e); //$NON-NLS-1$ ;  
63:  log.error("failed: ", e); //$NON-NLS-1$ ;  
org.eclipse.passage.loc.licenses.core
src
org
eclipse
passage
loc
internal
licenses
core
issue
ClosedValidityPeriodReduction.java (2 matches)
48:  log.warn(String.format(ReductionMessages.ClosedValidityPeriodReduction_reduction_validityperiod_length,  
50:  log.warn(String.format(ReductionMessages.ClosedValidityPeriodReduction_reduction_validityperiod_allowed,  
FeatureGrantCapacityReduction.java (2 matches)
30:  log.warn(String.format(ReductionMessages.FeatureGrantCapacityReduction_reduction_featuregrant_capacity,  
32:  log.warn(String.format(ReductionMessages.FeatureGrantCapacityReduction_reduction_featuregrant_feature,  
UserGrantsAmountReduction.java (2 matches)
31:  log.warn(String.format(ReductionMessages.UserGrantsAmountReduction_reduction_usergrant_amount, amount));  
34:  log.warn(String.format(ReductionMessages.UserGrantsAmountReduction_reduction_usergrant_user,  
LicenseSignature.java
54:  log.error(new DiagnosticExplained(diagnostic).get());  
org.eclipse.passage.loc.operator.seal
src
org
eclipse
passage
loc
operator
seal
OperatorFramework.java
74:  log.debug(String.format("%s runs for %s", //$NON-NLS-1$  
org.eclipse.passage.loc.products.core
src
org
eclipse
passage
loc
internal
products
core
ConvertedKeys.java
147:  log.info(String.format(//  
ProductVersionKeys.java
144:  log.error("", e); //$NON-NLS-1$  
org.eclipse.passage.loc.workbench.emfforms
src
org
eclipse
passage
loc
workbench
emfforms
renderers
ConditionTypeRenderer.java
53:  log.error(e);

Back to the top