GHSA-3w6p-8f82-gw8r – ru.yandex.clickhouse:clickhouse-jdbc-bridge

Package

Manager: maven
Name: ru.yandex.clickhouse:clickhouse-jdbc-bridge
Vulnerable Version: >=0 <2.0.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Using JMSAppender in log4j configuration may lead to deserialization of untrusted data ### Impact ClickHouse JDBC Bridge uses [slf4j-log4j12 1.7.32](https://repo1.maven.org/maven2/org/slf4j/slf4j-log4j12/1.7.32/), which depends on [log4j 1.2.17](https://repo1.maven.org/maven2/log4j/log4j/1.2.17/). It allows a remote attacker to execute code on the server, if you changed default log4j configuration by adding JMSAppender and an insecure JMS broker. ### Patches The patch version `2.0.7` removed log4j dependency by replacing `slf4j-log4j12` to `slf4j-jdk14`. Logging configuration is also changed from `log4j.properties` to `logging.properties`. ### Workarounds 1. Do NOT change log4j configuration to use JMSAppender along with insecure JMS broker 2. Alternatively, you can issue below command to remove `JMSAppender.class`: ```(bash) # install zip command if you don't have apt-get update && apt-get install -y zip # remove the class zip -d clickhouse-jdbc-bridge*.jar ru/yandex/clickhouse/jdbcbridge/internal/log4j/net/JMSAppender.class ``` ### References Please refer to [CVE-2021-4104](https://access.redhat.com/security/cve/CVE-2021-4104) to read more. ### For more information If you have any questions or comments about this advisory, please feel free to open an issue in the repository.

Metadata

Created: 2021-12-17T20:42:38Z
Modified: 2021-12-17T20:34:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-3w6p-8f82-gw8r/GHSA-3w6p-8f82-gw8r.json
CWE IDs: ["CWE-502"]
Alternative ID: N/A
Finding: F096
Auto approve: 1