@prabhu@infosec.exchange on Twitter: "CVE-2021-44228 is not really published on #nvd yet (still under analysis). https://t.co/2VrAIxfQ3M A quick search on osv with the CVE ID is therefore empty. https://t.co/c99qdDxyMU Only #GitHub advisory seems to be reporting it (CC-BY-4.0 License) https://t.co/0Ygpx0SgPA" / Twitter

CVE-2021-44228 is not really published on #nvd yet (still under analysis). nvd.nist.gov/vuln/detail/CV A quick search on osv with the CVE ID is therefore empty. osv.dev/list?q=CVE-202 Only #GitHub advisory seems to be reporting it (CC-BY-4.0 License) github.com/advisories/GHS

5:56 PM · Dec 12, 2021

1

Retweet

1

Like

@prabhu@infosec.exchange

@_prbh

Dec 12, 2021

Replying to

@_prbh

As the author of #depscan, I really would like to help secure software. However, if a vulnerability is not available in a free datasource such as NVD or OSV there is no realistic chance to do this. I'm sure the same problem would exist for all free users of

@DependencyTrack

2

1

@prabhu@infosec.exchange

@_prbh

Dec 12, 2021

There is so much talk on how #SBoM would save the world. I have the #SBoM with me that says log4j however no database that correctly reports the problem with the package even after nearly 2 days. Orgs such as #GitHub have a whole team just for curation of vulnerabilities!

1

@prabhu@infosec.exchange

@_prbh

Dec 12, 2021

Based on my limited research, only "log4j-core" and not "log4j-api" appears to be vulnerable. So, this advisory would trigger needless updates if the application depends solely on the "log4j-api" package. github.com/advisories/GHS issues.apache.org/jira/browse/LO

Conversation