[SECURITY] RCE 0-day in log4j - Conclusion: Lombok itself not affected #3063
Comments
|
Can you please explain how this affects lombok? As far as I know |
|
Lombok provides an annotation, @log4j, which generates a logger field using the apache Log4J library. |
|
@adambarney although Lombok generates code to create an instance of a logger, we do not ship, distribute or require any specific version, and the user needs to bring their own. As @Rawi01 said, there is a version to be found in our code base, but that's only used inside testing code to be able to compile the generated code without errors. So I would say that Lombok is still safe to use, but I don't see a reason NOT to update the dependency to a version that is currently considered safe. |
|
Lombok itself does not ship, require or depend on log4j. It just generates the code that references log4j. If log4j is not on the classpath, the compiler will complain. |
Wouldn‘t that dependency then be included if u declared lombok as a dependency in ur mvn/gradle? Making it probably the only one on the classpath which would in turn be picked up by the code generated by lombok? |
|
doing a quick search in the repository found this property that presents vulnerability lombok/src/support/log4j.properties Line 6 in d3b763f |
|
@SunriseChair Lombok does not declare a dependency on log4j, or any other library. If you would use the |
|
@RuanNunes in the same directory is a text file explaining we do not ship that file as part of our release. |
@rspilker After diving into the code I can confirm that you're absolutely right about this ⬆️ .
Absolutely! 👍 |
|
@vae520283995, I cannot help you here. I have no knowledge about this vulnerability, and I wouldn't even understand why you would assume it would also affect I can tell you that Lombok does not ship, require or declare a dependency on any of those libraries. We generate 'invisible source code'. Please contact the maintainers of |
Thank you, I checked, I am using springboot default logback |
rspilker
changed the title
Latest assesment
So, no, Lombok itself does not need any changes, and is not responsible for any security problems your product might have regarding these broken Log4j libraries. Mitigation
FeedbackIf you do not agree with the current assessment, please add a comment to this issue. However, please make sure you've read the other comments, and make sure you understand the problem. The balancing act:
Latest changes
|
rzwitserloot
changed the title
|
Lombok uses this framework behind the scenes: https://logback.qos.ch/ |
|
@lidiop Lombok does not use logback or any other logging facade or backend. Lombok does generate code, the user needs to provide the accompanying facade during compilation and facade and backend at runtime. There is no need to update your Lombok. |
|
great @rspilker . Thank you so much for the answer. |
…dependency on log4j, solely for testing purposes, and no user input is ever logged with it. Nevertheless, pushing the dep to 2.16 to avoid false positives from vulnerability scanners ruining the day.
…dependency on log4j, solely for testing purposes, and no user input is ever logged with it. Nevertheless, pushing the dep to 2.17 to avoid false positives from vulnerability scanners ruining the day.
Describe the bug
In
log4jlibrary was discovered a 0-day exploit that results in Remote Code Execution (RCE) by logging a certain string. The vulnerability impacts Apache Log4j 2 versions2.0to2.14.1.Additional context
https://www.randori.com/blog/cve-2021-44228/
Expected behavior
Immediate update of
log4jlibrary to the latest version (right now it is2.15.0according to the changelog)Jump to latest assesment
The text was updated successfully, but these errors were encountered: