Hi guys,
The Anchore Scan detected a critical vulnerability in Keycloak related to Log4J.
2021-07-09T17:11:08.8547317Z vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/jboss/keycloak/modules/system/layers/base/org/jboss/log4j/logmanager/main/log4j-jboss-logmanager-1.2.0.Final.jar (CVE-2019-17571 - https://nvd.nist.gov/vuln/detail/CVE-2019-17571) stop
I saw a bug card related to this issue in Keycloak’s Jira: [KEYCLOAK-15131] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization - Red Hat Issue Tracker
This card has a message from @stianst that says:
This issue was resolved a long time ago in WildFly, which does not include the affected classes. See CVE-2019-17571- Red Hat Customer Portal for more details.
In pom.xml file in Keycloak has a reference to version 1.2 (line 92).
<log4j.version>1.2.17</log4j.version>
So, what is the usage of this package by Keycloak? Does this vulnerability detection make sense?
Based on the Apache log4j site, the Log4j 1.x had reached the end of life and they recommend to update to Log4j 2