Recipe Name:
Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
Description:
Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
Level:
error
Language:
- xml
Tags:
- Apache Maven
- Log4j
- OWASP Top 10
- SLF4J
- basic protection set
- framework specific
- injection
- logging
- security
Recipe
id: scw:logging:log4j:log4shell-upgrade-dependency
version: 10
metadata:
name: Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
shortDescription: Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
level: error
language: xml
enabled: true
tags: Apache Maven;Log4j;OWASP Top 10;SLF4J;basic protection set;framework specific;injection;logging;security
search:
element:
in:
element:
allOf:
- child:
text: org.apache.logging.log4j
tagName:
is: groupId
- child:
text:
matches: log4j(|-api|-bom|-core)
tagName:
is: artifactId
in:
element:
in:
element:
not:
in:
element: {}
in:
file:
name: pom.xml
tagName: http://maven.apache.org/POM/4.0.0:project
tagName:
matches: dependencies|dependencyManagement
tagName:
is: dependency
text:
matches: 2\.0.*|2\.1(\.\d+)*|2\.[2-9](\.\d+)*|2\.1[0-6]\..*
tagName:
is: version
scopes:
library:
not:
anyOf:
- minVersion: 2.17.0
name:
contains: org.apache.logging.log4j:log4j-core
- minVersion: 2.13.1
name:
contains: org.apache.logging.log4j:log4j-core
maxVersion: 2.13.9999
- minVersion: 2.3.1
name:
contains: org.apache.logging.log4j:log4j-core
maxVersion: 2.3.9999
name:
contains: org.apache.logging.log4j:log4j-core
availableFixes:
- name: Upgrade Log4j version
actions:
- rewrite:
to: <version>2.17.0</version>