Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30834

Log4j Visualizer: log4j-core-2.16.0 is counted even though it doesn't have CVE-2021-44228

    XMLWordPrintable

Details

    • 2
    • NXRM MadMax Sprint 25, NXRM MadMax Sprint 26
    • 3
    • non-concept
    • 3

    Description

      SYMPTOM:

      After enabling Log4j Visualizer, downloading log4j-core-2.12.3.jar is not counted but log4j-core-log4j-core-2.16.0.jar is counted. Both have the Security-Medium policy violations but not CVE-2021-44228.
      The documentation says below:
      https://help.sonatype.com/repomanager3/nexus-repository-administration/capabilities/log4j-visualizer

      Note that the Log4j Visualizer only captures information about the log4j.core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

      This behaviour is confusing users.

      EXPECTATION:

      By reading above doc, users would think log4j-core-2.16.0.jar should not be counted (but ideally counting all log4j medium/high/severe vulnerabilities would be helpful).
      So, please do either counting only the log4j versions affected by CVE-2021-44228, or updating the document to clarify which log4j CVEs are counted.

      Attachments

        Activity

          People

            mkalachov Maksym Kalachov [X] (Inactive)
            hosako Hajime Osako
            Michael Oliverio Michael Oliverio
            NXRM - Mad Max
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              tigCommentSecurity.panel-title