Log4j 1.2.17 (CVE-2019-17571) critical vulnerability due to lagom-scala-dsl-kafka-broker

Hello Lightbend Team

I would like to report “critical” CVE-2019-17571 against log4j 1.x. This exists in the latest version of log4j 1.x (specifically log4j 1.2.17).

log4j 1.2.17 is used by lagom-scaladsl-kafka-broker - see https://mvnrepository.com/artifact/com.lightbend.lagom/lagom-scaladsl-kafka-broker_2.13/1.6.5.

Snyk scans of projects that are using Lagom 1.6.5 are flagging this as a critical vulnerability.

To read more about the CVE, please refer to: NVD - CVE-2019-17571

Is there any workaround for this issue? Is there another forum or place to report this as a high-priority issue?

Regards
Manas

@manasbuilds,

Thanks for reporting this.

The Lagom Kafka broker artifact is never deployed to a production system. This is only used during development mode to run a Kafka broker on your machine. That said, this is not something that can expose your system to said vulnerability.

However, I will update this dependency anyway as others may run into the same warning. I agree that this is confusing and with all the recently concerns around Log4j we should avoid any extra source of concerns.

Kind regards,

Renato

Hello @octonato

Thank you for responding.

Yes, this does not relate to the log4j 2 CVE that is hot in the news (NVD - CVE-2021-44228) but this is a different CVE for log4j 1.2.17 (NVD - CVE-2019-17571) that still shows “Critical” in Snyk scans of application builds that use Lagom 1.6.5.

Is there a way to “exclude” lagom-scala-dsl-kafka-broker when we build a project (sbt dist) that uses Lagom 1.6.5? That way, the production build will NOT include this component or the resulting log4j 1.2.17 jar.

Thank you once again for your prompt response. Any advice or feedback you can share would be much appreciated.

Regards
Manas

Hi Manas,

I just cut a new release of Lagom (v1.6.7) that removes that dependency. It turns out it was not needed at all. This is probably not yet in Maven Central, but should show up soon.

I think the easiest for you will be to upgrade to 1.6.7.

A more formal announcement will follow.

Cheers,

Renato

Thank you!

Hi Renato,

I am Manas’ colleague - thanks for the 1.6.7 release.

However, when I tried upgrading to this version, I got the following error -

[warn] sbt 0.13 shell syntax is deprecated; use slash syntax instead: Global / dumpStructure
[error] stack trace is suppressed; run 'last lagom-internal-meta-project-service-locator / update' for the full output
[error] stack trace is suppressed; run 'last lagom-internal-meta-project-service-locator / ssExtractDependencies' for the full output
[error] (lagom-internal-meta-project-service-locator / update) found version conflict(s) in library dependencies; some are suspected to be binary incompatible:
[error]
[error] 	* org.scala-lang.modules:scala-java8-compat_2.12:1.0.2 (early-semver) is selected over {0.8.0, 0.9.1, 0.9.1, 0.9.1}
[error] 	    +- com.lightbend.lagom:lagom-akka-management-core_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-javadsl-jackson_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-api_2.12:1.6.7           (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-dev-mode-ssl-support_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-scaladsl-play-json_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-logback_2.12:1.6.7       (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-service-registry-client-core_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.typesafe.play:play-ahc-ws-standalone_2.12:2.1.6 (depends on 1.0.2)
[error] 	    +- com.typesafe.play:play_2.12:2.8.11                 (depends on 0.9.1)
[error] 	    +- com.typesafe.play:play-streams_2.12:2.8.11         (depends on 0.9.1)
[error] 	    +- com.typesafe.play:play-java_2.12:2.8.11            (depends on 0.9.1)
[error] 	    +- com.typesafe.akka:akka-actor_2.12:2.6.17           (depends on 0.8.0)
[error]
[error]
[error] this can be overridden using libraryDependencySchemes or evictionErrorLevel
[error] (lagom-internal-meta-project-service-locator / ssExtractDependencies) found version conflict(s) in library dependencies; some are suspected to be binary incompatible:
[error]
[error] 	* org.scala-lang.modules:scala-java8-compat_2.12:1.0.2 (early-semver) is selected over {0.8.0, 0.9.1, 0.9.1, 0.9.1}
[error] 	    +- com.lightbend.lagom:lagom-akka-management-core_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-javadsl-jackson_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-api_2.12:1.6.7           (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-dev-mode-ssl-support_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-scaladsl-play-json_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-logback_2.12:1.6.7       (depends on 1.0.2)
[error] 	    +- com.lightbend.lagom:lagom-service-registry-client-core_2.12:1.6.7 (depends on 1.0.2)
[error] 	    +- com.typesafe.play:play-ahc-ws-standalone_2.12:2.1.6 (depends on 1.0.2)
[error] 	    +- com.typesafe.play:play_2.12:2.8.11                 (depends on 0.9.1)
[error] 	    +- com.typesafe.play:play-streams_2.12:2.8.11         (depends on 0.9.1)
[error] 	    +- com.typesafe.play:play-java_2.12:2.8.11            (depends on 0.9.1)
[error] 	    +- com.typesafe.akka:akka-actor_2.12:2.6.17           (depends on 0.8.0)
[error]
[error]
[error] this can be overridden using libraryDependencySchemes or evictionErrorLevel
[error] Total time: 55 s, completed 15 Dec, 2021 10:56:26 AM
[info] shutting down sbt server

I don’t understand why is it trying to pull a 2.12 dependency for a Scala 2.13 project?

Regards,
Manoj.

From what I see, you project is using Scala 2.12 and you are using sbt 1.5.

This is a known issue with sbt 1.5 and projects using akka compiled for Scala 2.12. Sbt will fail the semver check.

Akka_2.12 is using scala-java8-compat 0.8.0 and Play_2.12 is using 0.9.1, while Lagom is on 1.0.2.

Check your scala version with sbt scalaVersion. I’m sure this project is configured for 2.12.
You have two options here:

  • move to Scala 2.13 (recommended)
  • downgrade to sbt 1.4

Cheers,

Renato

PS: I’m surprised that Play 2.8.11 for Scala 2.12 is using a different scala-java8-compat. I thought we had bumped it to 1.0.2 in Lagom.

Thanks Renato. Our project is not using Scala 2.12, it’s on 2.13.

However, downgrading sbt from 1.5.5 to 1.4.9 helped, and I was able to test Lagom 1.6.7 with our code-base and so far all is good.

Thanks,
Manoj.