Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30834

Log4j Visualizer: log4j-core-2.16.0 is counted even though it doesn't have CVE-2021-44228

    Details

    • Story Points:
      2
    • Sprint:
      NXRM MadMax Sprint 25, NXRM MadMax Sprint 26
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      SYMPTOM:

      After enabling Log4j Visualizer, downloading log4j-core-2.12.3.jar is not counted but log4j-core-log4j-core-2.16.0.jar is counted. Both have the Security-Medium policy violations but not CVE-2021-44228.
      The documentation says below:
      https://help.sonatype.com/repomanager3/nexus-repository-administration/capabilities/log4j-visualizer

      Note that the Log4j Visualizer only captures information about the log4j.core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

      This behaviour is confusing users.

      EXPECTATION:

      By reading above doc, users would think log4j-core-2.16.0.jar should not be counted (but ideally counting all log4j medium/high/severe vulnerabilities would be helpful).
      So, please do either counting only the log4j versions affected by CVE-2021-44228, or updating the document to clarify which log4j CVEs are counted.

        Attachments

          Activity

            People

            Assignee:
            mkalachov Maksym Kalachov [X] (Inactive)
            Reporter:
            hosako Hajime Osako
            Last Updated By:
            Michael Oliverio Michael Oliverio
            Team:
            NXRM - Mad Max
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title