Vulnerability in quarkus-core dependency #43607

expertesantos · 2024-09-30T19:55:55Z

expertesantos
Sep 30, 2024

Hi everyone,

I’m facing an issue with Quarkus. The company I work for is strict about vulnerabilities, and AWS Amazon Inspector has pointed out that the Quarkus project is using the library org.jboss.logging.jboss-logging-3.6.0.Final.jar, which relies on the log4j version 1.2.17, leading to several vulnerabilities being flagged: CVE-2019-17571, CVE-2022-23305, CVE-2023-26464, CVE-2022-23302, CVE-2022-23307, CVE-2021-4104, CVE-2020-9488.

I tried to exclude the jboss-logging dependency, but this library is used in quarkus-core, and I encountered the following error:

org/jboss/logging/BasicLogger: java.lang.NoClassDefFoundError
java.lang.NoClassDefFoundError: org/jboss/logging/BasicLogger
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(Unknown Source)
        at java.base/java.security.SecureClassLoader.defineClass(Unknown Source)
        at java.base/java.net.URLClassLoader.defineClass(Unknown Source)
        at java.base/java.net.URLClassLoader$1.run(Unknown Source)
        at java.base/java.net.URLClassLoader$1.run(Unknown Source)
        at java.base/java.security.AccessController.doPrivileged(Unknown Source)
        at java.base/java.net.URLClassLoader.findClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        at io.smallrye.config.SmallRyeConfig$ConfigSources.getSources(SmallRyeConfig.java:968)
        at io.smallrye.config.SmallRyeConfig$ConfigSources.<init>(SmallRyeConfig.java:804)
        at io.smallrye.config.SmallRyeConfig.<init>(SmallRyeConfig.java:86)
        at io.smallrye.config.SmallRyeConfigBuilder.build(SmallRyeConfigBuilder.java:736)
        at io.quarkus.runtime.generated.Config.<clinit>(Unknown Source)
        at io.quarkus.runner.ApplicationImpl.<clinit>(Unknown Source)
        at java.base/java.lang.Class.forName0(Native Method)
        at java.base/java.lang.Class.forName(Unknown Source)
        at io.quarkus.runtime.Quarkus.manualInitialize(Quarkus.java:236)
        at io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler.<init>(QuarkusStreamHandler.java:21)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source)
        at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.jboss.logging.BasicLogger
        at java.base/java.net.URLClassLoader.findClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        ... 25 more

I saw that there’s already a discussion on the jboss-logging project, but there hasn’t been any movement: jboss-logging/jboss-logging#111

Considering that I cannot deploy with AWS Amazon Inspector raising this issue, do you have any suggestions?

Answered by dmlloyd

Sep 30, 2024

Since we do not include log4j, this is not an issue (note that the dependency is provided scope). Unfortunately these vulnerability scanners don't always understand the nature of a dependency. But, jboss-logging cannot be said to depend on log4j in any logical sense.

View full answer

phillip-kruger · 2024-09-30T22:00:15Z

phillip-kruger
Sep 30, 2024
Collaborator

//cc @dmlloyd

1 reply

dmlloyd Sep 30, 2024
Maintainer

It does not in fact actually include log4j. It is only in the dependency list with a provided scope, meaning that jboss-logging may be used with systems which use log4j for logging. Quarkus is not such a system.

dmlloyd · 2024-09-30T22:13:09Z

dmlloyd
Sep 30, 2024
Maintainer

Since we do not include log4j, this is not an issue (note that the dependency is provided scope). Unfortunately these vulnerability scanners don't always understand the nature of a dependency. But, jboss-logging cannot be said to depend on log4j in any logical sense.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability in quarkus-core dependency #43607

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Vulnerability in quarkus-core dependency #43607

expertesantos Sep 30, 2024

Replies: 2 comments · 1 reply

phillip-kruger Sep 30, 2024 Collaborator

dmlloyd Sep 30, 2024 Maintainer

dmlloyd Sep 30, 2024 Maintainer

expertesantos
Sep 30, 2024

Replies: 2 comments 1 reply

phillip-kruger
Sep 30, 2024
Collaborator

dmlloyd Sep 30, 2024
Maintainer

dmlloyd
Sep 30, 2024
Maintainer