Static Code Injection in playframework/play-samples

Valid

Reported on

Jan 16th 2022


Description

"play-samples" project uses the vulnerable log4j library (2.17.0). This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 (Remote Code Execution). Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version.

Proof of Concept

You can see the version of the used log4j library from this file:

val log4jVersion = "2.17.0"

lazy val root = (project in file("."))
  .enablePlugins(PlayScala)
  .disablePlugins(PlayLogback)
  .settings(
    name := """play-scala-log4j2-example""",
    version := "1.0-SNAPSHOT",
    scalaVersion := "2.13.6",
    libraryDependencies ++= Seq(
      guice,
      "org.apache.logging.log4j" % "log4j-slf4j-impl" % log4jVersion,
      "org.apache.logging.log4j" % "log4j-api" % log4jVersion,
      "org.apache.logging.log4j" % "log4j-core" % log4jVersion,
      "org.scalatestplus.play" %% "scalatestplus-play" % "5.0.0" % Test,
    ),
    scalacOptions ++= Seq(
      "-feature",
      "-deprecation",
      "-Xfatal-warnings"
    )
  )

Impact

This vulnerable library can cause Remote Code Execution vulnerability on the "play-samples" project. You should upgrade this library.

Occurrences

We are processing your report and will contact the playframework/play-samples team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the playframework/play-samples team and are waiting to hear back 4 months ago
oivrip
4 months ago

Researcher


Hi, I think PR will be merged. Can you approve this report?

Matthias Kurz
4 months ago

Maintainer


I merged the PR. However the projects in the repo are just example projects, they are not part of the Play Framework source code itself. Some of the projects are outdated AFAIK. So I wouldn't really count that as security vulnerability. Anyway, approving.

Matthias Kurz validated this vulnerability 4 months ago
oivrip has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matthias Kurz confirmed that a fix has been merged on 257d0d 4 months ago
Matthias Kurz has been awarded the fix bounty
build.sbt#L1 has been validated
to join this conversation