elasticsearch-sql-cli-7.16.1.jar mentioned as vunerable, but shoud be the fixed version
svbrburgman opened this issue · comments
https://www.elastic.co/guide/en/elasticsearch/reference/current/release-notes-7.16.1.html
Enhancementsedit
Infra/Logging
Disable JNDI lookups via the log4j2.formatMsgNoLookups system property #81622
Patch log4j jar to remove the JndiLookup class from the classpath #81629
scan results :
SonarQube\sonarqube-8.9.5\elasticsearch\bin\elasticsearch-sql-cli-7.16.1.jar:�[31m vulnerable JndiManager found�[0m
SonarQube\sonarqube-8.9.5\elasticsearch\lib\elasticsearch-log4j-7.16.1.jar:�[31m vulnerable JndiManager found�[0m
Hi @svbrburgman ,
This particular way to patch (removing JndiLookup class) was not taken into account. We'll add a clear indication of this patch in the report and update here when it's ready.
However, note that for the case of elasticsearch-sql-cli-7.16.1.jar, JndiLookup class is still present in the file. While there may be another mitigation in place, it's probably something to verify with the vendor..
Hi @svbrburgman,
We added a more detailed version estimation output to the report, and elasticsearch-log4j-7.16.1.jar is now indeed reported as fixed due to removed JndiLookup.
Note that the tool now uses fingerprinting of two classes (JndiManager and JndiLookup), and was renamed to scan_log4j_versions.py
Please update if you have further issues.
Thanks!
Hi @svbrburgman ,
Closing it to be less of an eye sore. Feel free to reopen/open new issue if this is not resolved.
Overall, elasticsearch-log4j-7.16.1.jar now reported as fixed, and elasticsearch-sql-cli-7.16.1.jar still reported a vulnerable, as JndiLookup was not removed from it. This is consistent with elasticsearch release notes: see commit: elastic/elasticsearch@687decb.
Thanks for the feedback!