Impacted jars by Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228) ??

[Sanjay122021]

Hi Team,

We are using following jar provided by you.
1- antisamy-1.5.7.jar
2- Owasp.CsrfGuard.jar

We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer

Are you using log4J?
If you are using log4j 1.x version, are you using JMSAppender class
if you are using log4j 2.x are , what is your security recommendation to fix the issue

[forgedhallpass]

Hello @Sanjay122021,

We are using following jar provided by you.

Could you please elaborate on this? We don't provide such JARs.

You can check the dependencies of the project using mvn dependency:tree -Dscope=compile.

org.owasp:csrfguard🫙4.1.2-SNAPSHOT

+- javax.servlet:servlet-api:jar:2.5:provided
+- org.apache.commons:commons-lang3:jar:3.12.0:compile
+- commons-io:commons-io:jar:2.8.0:compile
+- com.google.code.gson:gson:jar:2.8.6:compile
+- org.slf4j:slf4j-api:jar:1.7.31:compile

org.owasp:csrfguard-extension-session🫙4.1.2-SNAPSHOT

+- org.owasp:csrfguard:jar:4.1.2-SNAPSHOT:compile
|  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
|  +- commons-io:commons-io:jar:2.8.0:compile
|  +- com.google.code.gson:gson:jar:2.8.6:compile
|  \- org.slf4j:slf4j-api:jar:1.7.31:compile
\- javax.servlet:servlet-api:jar:2.5:provided

org.owasp:csrfguard-jsp-tags🫙4.1.2-SNAPSHOT

+- org.owasp:csrfguard:jar:4.1.2-SNAPSHOT:compile
|  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
|  +- commons-io:commons-io:jar:2.8.0:compile
|  +- com.google.code.gson:gson:jar:2.8.6:compile
|  \- org.slf4j:slf4j-api:jar:1.7.31:compile
+- javax.servlet:servlet-api:jar:2.5:provided
+- javax.servlet.jsp:jsp-api:jar:2.1:provided
\- javax.servlet:jstl:jar:1.2:provided

For logging we use the SLF4J API, WITHOUT including any implementations. Even in the test project, we use LogBack.