[logback-user] Ambiguous vulnerability assessment help

David Roussel nabble at diroussel.xsmail.com
Sat Sep 4 11:09:53 CEST 2021


Ciao Angelo,

To reproduce this might take quite a bit of work, as the report you copied doesn’t provide details of how the MITM cert was spoofed.  It might be as simple as not validating the cert at all.  But if you have support from JFrog, then I would be best to contact them for more details.

I don’t currently use logback myself, but when I did I never relied on any feature that connected out to TLS endpoints.  If you don’t either, then you can ignore this issue.

If your logback usage does include connecting out to TLS endpoints, then in each case you need to consider how confidential is that data, what could the impact of a MITM be, and what control do you have over the cert validation.

The problem is that there are many ways in which TLS connections can be made, even just parsing an XML document can cause network requests.

David


> On 27 Aug 2021, at 17:31, Angelo Rauseo <angelo.rauseo at workday.com> wrote:
> 
> Hello everyone,
>  
> I am looking for details about a vulnerability listed in JFrog X-Ray (see below) that does not have much data attached to it in the report (no CVE, no links to analysis). My end goal would be to eventually help resolve it, but I have no data about the source to start from.
>  
> Anyone here that can help me assess it?
>  
> Thank you for your time and assistance!
> Angelo
>  
> ┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────┐
> │ Summary             │ logback SSL Certificate Validation Failure MitM Spoofing                                           │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Severity            │ MEDIUM                                                                                             │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Description         │ logback contains a flaw as X.509 certificates are not properly validated. By spoofing the  TLS/SSL │
> │                     │ server via a certificate that appears valid, an attacker with the  ability  to  intercept  network │
> │                     │ traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.  │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Type                │ SECURITY                                                                                           │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Provider            │ JFrog                                                                                              │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Issues              │ 4.0/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N                                                            │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Edited              │ 2021-04-15T09:22:04Z                                                                               │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Created             │ 2019-05-02T00:00:00.297Z                                                                           │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Impact paths        │ -                                                                                                  │
> │                     │ /sha256__11533f8a115abc3bbf6840bebe91a8616a0ee04cd4bdad4094ed62e6f86d4432.tar.gz/usr/share/fugu/li │
> │                     │ b/ch.qos.logback-logback-core-1.2.3.jar                                                            │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │                     │                   Affected component ID: gav://ch.qos.logback:logback-core:1.2.3 <gav://ch.qos.logback:logback-core:1.2.3>                   │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Vulnerable versions │ 1.0.12 ≤ Version ≤ 1.3.0-alpha5                                                                    │
> ├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤
> │ Fixed versions      │                                                                                                    │
> └─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────┘
>  
>  
> _______________________________________________
> logback-user mailing list
> logback-user at qos.ch <mailto:logback-user at qos.ch>
> http://mailman.qos.ch/mailman/listinfo/logback-user <http://mailman.qos.ch/mailman/listinfo/logback-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qos.ch/pipermail/logback-user/attachments/20210904/9f30777f/attachment-0001.html>


More information about the logback-user mailing list