<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Andale Mono";
panose-1:2 11 5 9 0 0 0 0 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word;-webkit-nbsp-mode: space;line-break:after-white-space">
<div class="WordSection1">
<p class="MsoNormal">Update:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Some more data has emerged, and after inquiring with JFrog, they pointed me to the issue being connected to what is under work in
<a href="https://jira.qos.ch/browse/LOGBACK-1574">https://jira.qos.ch/browse/LOGBACK-1574</a> and
<a href="https://github.com/qos-ch/logback/pull/305">https://github.com/qos-ch/logback/pull/305</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It seems the root of the concern is the hostname validation.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Angelo<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Angelo Rauseo <angelo.rauseo@workday.com><br>
<b>Date: </b>Tuesday, September 7, 2021 at 09:00<br>
<b>To: </b>logback users list <logback-user@qos.ch><br>
<b>Subject: </b>Re: [External Sender] Re: [logback-user] Ambiguous vulnerability assessment help<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Ciao David,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you for your reply and the recommendations. I am trying to reach out to JFrog and to see what data they have, and I think it is reasonable to not use logback apis to reach out to servers via TLS/SSL to stay safe.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Even with all the precautions, I am still a bit confused by the lack of details and somewhat concerned about finding the root cause of a MiTM issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is there anyone here with experience of TLS connectivity in logback? Which would be the APIs involved?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for your time,<o:p></o:p></p>
<p class="MsoNormal">Angelo<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">logback-user <logback-user-bounces@qos.ch> on behalf of David Roussel <nabble@diroussel.xsmail.com><br>
<b>Reply-To: </b>logback users list <logback-user@qos.ch><br>
<b>Date: </b>Saturday, September 4, 2021 at 02:10<br>
<b>To: </b>logback users list <logback-user@qos.ch><br>
<b>Subject: </b>[External Sender] Re: [logback-user] Ambiguous vulnerability assessment help<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Ciao Angelo,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To reproduce this might take quite a bit of work, as the report you copied doesn’t provide details of how the MITM cert was spoofed. It might be as simple as not validating the cert at all. But if you have support from JFrog, then I would
be best to contact them for more details.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don’t currently use logback myself, but when I did I never relied on any feature that connected out to TLS endpoints. If you don’t either, then you can ignore this issue.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If your logback usage does include connecting out to TLS endpoints, then in each case you need to consider how confidential is that data, what could the impact of a MITM be, and what control do you have over the cert validation.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The problem is that there are many ways in which TLS connections can be made, even just parsing an XML document can cause network requests.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">David<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 27 Aug 2021, at 17:31, Angelo Rauseo <<a href="mailto:angelo.rauseo@workday.com">angelo.rauseo@workday.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hello everyone,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I am looking for details about a vulnerability listed in JFrog X-Ray (see below) that does not have much data attached to it in the report (no CVE, no links to analysis). My end goal would be to eventually help resolve it, but I have no
data about the source to start from.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Anyone here that can help me assess it?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you for your time and assistance!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Angelo<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────┐</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Summary │ logback SSL Certificate Validation Failure MitM Spoofing │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Severity │ MEDIUM │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Description │ logback contains a flaw as X.509 certificates are not properly validated. By spoofing the TLS/SSL │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ server via a certificate that appears valid, an attacker with the ability to intercept network │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Type │ SECURITY │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Provider │ JFrog │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Issues │ 4.0/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Edited │ 2021-04-15T09:22:04Z │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Created │ 2019-05-02T00:00:00.297Z │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Impact paths │ - │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ /sha256__11533f8a115abc3bbf6840bebe91a8616a0ee04cd4bdad4094ed62e6f86d4432.tar.gz/usr/share/fugu/li │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ b/ch.qos.logback-logback-core-1.2.3.jar │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ Affected component ID:<span class="apple-converted-space"> </span><a href="gav://ch.qos.logback:logback-core:1.2.3">gav://ch.qos.logback:logback-core:1.2.3</a>
│</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Vulnerable versions │ 1.0.12 ≤ Version ≤ 1.3.0-alpha5 │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Fixed versions │ │</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">└─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────┘</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono""> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica">_______________________________________________<br>
logback-user mailing list<br>
</span><a href="mailto:logback-user@qos.ch"><span style="font-size:9.0pt;font-family:Helvetica">logback-user@qos.ch</span></a><span style="font-size:9.0pt;font-family:Helvetica"><br>
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.qos.ch_mailman_listinfo_logback-2Duser&d=DwMFaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=QDRlV20Ri1l0kzdezi8EjKLiEjyGGL8ZdxIoltJLy7w&m=JqVy4JZWTjrqpf01CGLjtKp98ub0RSqr9FTer4EqbhU&s=FAuAnoQCWjXeiTNsJTd_yO73o5kYhBOcw7ak8oj9brI&e="><span style="font-size:9.0pt;font-family:Helvetica">http://mailman.qos.ch/mailman/listinfo/logback-user</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
</body>
</html>