Static Code Injection in playframework/play-samples
Reported on
Jan 16th 2022
Description
"play-samples" project uses the vulnerable log4j library (2.17.0). This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 (Remote Code Execution). Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version.
Proof of Concept
You can see the version of the used log4j library from this file:
val log4jVersion = "2.17.0"
lazy val root = (project in file("."))
.enablePlugins(PlayScala)
.disablePlugins(PlayLogback)
.settings(
name := """play-scala-log4j2-example""",
version := "1.0-SNAPSHOT",
scalaVersion := "2.13.6",
libraryDependencies ++= Seq(
guice,
"org.apache.logging.log4j" % "log4j-slf4j-impl" % log4jVersion,
"org.apache.logging.log4j" % "log4j-api" % log4jVersion,
"org.apache.logging.log4j" % "log4j-core" % log4jVersion,
"org.scalatestplus.play" %% "scalatestplus-play" % "5.0.0" % Test,
),
scalacOptions ++= Seq(
"-feature",
"-deprecation",
"-Xfatal-warnings"
)
)
Impact
This vulnerable library can cause Remote Code Execution vulnerability on the "play-samples" project. You should upgrade this library.
Occurrences
SECURITY.md
a year ago
I merged the PR. However the projects in the repo are just example projects, they are not part of the Play Framework source code itself. Some of the projects are outdated AFAIK. So I wouldn't really count that as security vulnerability. Anyway, approving.