Thanks to the CVE-2021-44228, we decided to integrate the OWASP Dependency check gradle plugin to our Android projects.
We've been surprised to see that the mentioned CVE was present in an IntelliJ dependency :
One or more dependencies were identified with known vulnerabilities in app: ... intellij-core-26.5.4.jar\META-INF/maven/log4j/log4j/pom.xml (pkg:maven/log4j/[email protected], cpe:2.3:a:apache:log4j:1.2.17:::::::*) : CVE-2019-17571, CVE-2020-9488, CVE-2021-44228
We have three questions about it :
- Should we be worried about this identified vulnerability ?
- How is the intellij-core-26.5.4.jar pulled ?
- Is this jar present in our final APK ?
CodePudding user response:
IntelliJ is of course just an advanced text editor and has no relation to the android application itself, so no, I wouldn't worry. It might be an insecurity for JetBrains, though, but that's really their problem
CodePudding user response:
CVE-2021-44228 is only applicable to Log4J2 versions 2.0-beta9 and newer upto and including 2.14.1, see: https://logging.apache.org/log4j/2.x/security.html
It does not apply to older versions such as Log4J 1.2.17.
The JAR file intellij-core-26.5.4.jar
is part of IntelliJ IDEA itself, and is not something that is included with the APK of your own application when you create an Android application with IntelliJ or Android Studio.