Recipe Name:
Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
Description:
Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
Level:
error
Language:
  • xml
Tags:
  • Apache Maven
  • Log4j
  • OWASP Top 10
  • SLF4J
  • basic protection set
  • framework specific
  • injection
  • logging
  • security
Recipe
id: scw:logging:log4j:log4shell-upgrade-dependency
version: 10
metadata:
  name: Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
  shortDescription: Vulnerable Log4j dependency - Log4Shell/CVE-2021-44228/CVE-2021-45046/CVE-2021-45105
  level: error
  language: xml
  enabled: true
  tags: Apache Maven;Log4j;OWASP Top 10;SLF4J;basic protection set;framework specific;injection;logging;security
search:
  element:
    in:
      element:
        allOf:
        - child:
            text: org.apache.logging.log4j
            tagName:
              is: groupId
        - child:
            text:
              matches: log4j(|-api|-bom|-core)
            tagName:
              is: artifactId
        in:
          element:
            in:
              element:
                not:
                  in:
                    element: {}
                in:
                  file:
                    name: pom.xml
                tagName: http://maven.apache.org/POM/4.0.0:project
            tagName:
              matches: dependencies|dependencyManagement
        tagName:
          is: dependency
    text:
      matches: 2\.0.*|2\.1(\.\d+)*|2\.[2-9](\.\d+)*|2\.1[0-6]\..*
    tagName:
      is: version
scopes:
  library:
    not:
      anyOf:
      - minVersion: 2.17.0
        name:
          contains: org.apache.logging.log4j:log4j-core
      - minVersion: 2.13.1
        name:
          contains: org.apache.logging.log4j:log4j-core
        maxVersion: 2.13.9999
      - minVersion: 2.3.1
        name:
          contains: org.apache.logging.log4j:log4j-core
        maxVersion: 2.3.9999
    name:
      contains: org.apache.logging.log4j:log4j-core
availableFixes:
- name: Upgrade Log4j version
  actions:
  - rewrite:
      to: <version>2.17.0</version>