Skip to content

Custom Samples example repository referenced vulnerable Log4j 2

High
briandealwis published GHSA-98x4-2mhq-c95x Dec 19, 2021

Package

cloud-code-custom-samples-example/bank-of-anthos (cloud-code-samples)

Affected versions

commits < 2021-12-14 19:26:10 UTC

Patched versions

2021-12-15 20:42:13 UTC (commit d81c71b)

Description

Linked Advisory: cloud-code-custom-samples-example GHSA-h9xv-vc3v-gvw9

Impact

Cloud Code provides a demonstration project on Github at https://github.com/GoogleCloudPlatform/cloud-code-custom-samples-example to serve as a demonstration of how someone might configure a samples repository. Prior to December 15, 2021 this Github project included a snapshot of the Bank of Anthos application with a dependency on Log4j 2.13.3, which is vulnerable to CVE-2021-44228 and CVE-2021-45046. Any user who followed the Cloud Code guide to "Setting up a samples repository" before December 15, 2021 may have added this repository to Cloud Code and may have the vulnerable version available on disk.

This issue only affects users that create an application based on Bank of Anthos and subsequently deployed this application.

Patches

The cloud-code-custom-samples-example repository was updated to remove the Bank of Anthos application on December 15, 2021.

Remediation

If you created a project from a Bank of Anthos template, you should follow the process used by the Bank of Anthos project to update to the latest version of Log4j.

Update your local copy of the cloud-code-custom-samples-example repository, or remove the cloud-code-custom-samples-example repository.

Update Local Copies

Cloud Code for IntelliJ offers a "Refresh" button in the File > New Project > Cloud Code Custom dialog to update all configured samples repositories.

Screen Shot 2021-12-18 at 11 27 19 PM

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs