master

分支 (1)

标签 (5)

管理

管理

master

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

OpenSCA-cli
/
db-demo.json

[
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0.0,2.3.2)||[2.4.0,2.12.3)||[2.13.0,2.13.2)",
    "language": "java",
    "name": "Apache Log4j 信任管理问题漏洞",
    "id": "XMIRROR-2020-9488",
    "cve_id": "CVE-2020-9488",
    "cnnvd_id": "CNNVD-202004-2164",
    "cnvd_id": "CNVD-2020-32881",
    "cwe_id": "CWE-295",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 \nApache Log4j中存在信任管理问题漏洞，该漏洞源于SmtpAppender没有验证主机名称与SMTPS连接的SSL/TLS证书是否匹配。攻击者可通过实施中间人攻击利用该漏洞拦截SMTPS连接，获取日志消息。",
    "description_en": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.",
    "suggestion": "目前厂商已发布升级补丁以修复漏洞，补丁获取链接： \nhttps://issues.apache.org/jira/browse/LOG4J2-2819",
    "attack_type": "远程",
    "release_date": "2020-04-27",
    "security_level_id": 4,
    "exploit_level_id": 0
  },
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[0,2.8.2)",
    "language": "java",
    "name": "Apache Log4j 代码问题漏洞",
    "id": "XMIRROR-2017-5645",
    "cve_id": "CVE-2017-5645",
    "cnnvd_id": "CNNVD-201704-852",
    "cnvd_id": "CNVD-2017-05975",
    "cwe_id": "CWE-502",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 \nApache Log4j 2.8.2之前的2.x版本中存在代码问题漏洞。攻击者可利用该漏洞执行任意代码。",
    "description_en": "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.",
    "suggestion": "目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： \nhttps://issues.apache.org/jira/browse/LOG4J2-1863",
    "attack_type": "远程",
    "release_date": "2017-04-17",
    "security_level_id": 1,
    "exploit_level_id": 0
  },
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0.0,2.3.1)||[2.4.0,2.12.2)||[2.13.0,2.15.0)",
    "language": "java",
    "name": "Apache Log4j 代码问题漏洞",
    "id": "XMIRROR-2021-44228",
    "cve_id": "CVE-2021-44228",
    "cnnvd_id": "CNNVD-202112-799",
    "cnvd_id": "CNVD-2021-100238",
    "cwe_id": "CWE-502",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 \nApache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。",
    "description_en": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
    "suggestion": "目前厂商已发布升级补丁以修复漏洞，补丁获取链接： \nhttps://logging.apache.org/log4j/2.x/security.html",
    "attack_type": "远程",
    "release_date": "2021-12-10",
    "security_level_id": 1,
    "exploit_level_id": 1
  },
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0.0,2.3.1)||[2.4.0,2.12.2)||[2.13.0,2.16.0)",
    "language": "java",
    "name": "Apache Log4j 代码问题漏洞",
    "id": "XMIRROR-2021-45046",
    "cve_id": "CVE-2021-45046",
    "cnnvd_id": "CNNVD-202112-1065",
    "cnvd_id": null,
    "cwe_id": "CWE-502",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 \nApache Log4j 2.15.0版本存在代码问题漏洞，该漏洞源于当日志配置使用非默认模式布局和上下文查找或线程上下文映射模式使用 JNDI 查找模式制作恶意输入数据，从而导致拒绝服务攻击。",
    "description_en": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.",
    "suggestion": "目前厂商已发布升级补丁以修复漏洞，补丁获取链接： \nhttps://logging.apache.org/log4j/2.x/security.html。",
    "attack_type": "远程",
    "release_date": "2021-12-14",
    "security_level_id": 1,
    "exploit_level_id": 0
  },
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0.0,2.3.1)||[2.4.0,2.12.3)||[2.13.0,2.17.0)",
    "language": "java",
    "name": "Apache Log4j 安全漏洞",
    "id": "XMIRROR-2021-45105",
    "cve_id": "CVE-2021-45105",
    "cnnvd_id": "CNNVD-202112-1493",
    "cnvd_id": "CNVD-2021-101661",
    "cwe_id": "CWE-20, CWE-674",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 \nApache Log4j2 2.0-alpha1到2.16.0版本（不包括2.12.3）存在安全漏洞，该漏洞源于自引用查找的不受控递归。攻击者可利用该漏洞在解释精心编制的字符串时导致拒绝服务。此问题已在2.17.0 和 2.12.3中修复。",
    "description_en": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.",
    "suggestion": "目前厂商已发布升级补丁以修复漏洞，补丁获取链接： \nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
    "attack_type": "远程",
    "release_date": "2021-12-18",
    "security_level_id": 2,
    "exploit_level_id": 0
  },
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0.0,2.3.2)||[2.4.0,2.12.4)||[2.13.0,2.17.1)",
    "language": "java",
    "name": "Apache Log4j 安全漏洞",
    "id": "XMIRROR-2021-44832",
    "cve_id": "CVE-2021-44832",
    "cnnvd_id": "CNNVD-202112-2743",
    "cnvd_id": null,
    "cwe_id": "CWE-20, CWE-74",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 \nApache Log4j2 2.0-beta7 到 2.17.0版本存在安全漏洞，该漏洞源于软件中对于JDBC Appender 和JNDI 缺少有效的防护与过滤。有权修改日志配置文件的攻击者可以构建恶意配置 将 JDBC Appender 与引用 JNDI URI 的数据源一起使用，该 JNDI URI 可以执行远程代码。",
    "description_en": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.",
    "suggestion": "目前厂商已发布升级补丁以修复漏洞，补丁获取链接： \nhttps://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf",
    "attack_type": "远程",
    "release_date": "2021-12-28",
    "security_level_id": 3,
    "exploit_level_id": 0
  }
]