7ASecurity is proud to share the results of our security audit of Logback. Logback is an inclusive, fast, and adaptable logging framework for Java. With the help of the Open Source Technology Improvement Fund (OSTIF) and the Sovereign Tech Agency, this project continues to provide reliable and flexible architecture for Java applications.
Audit Process:
This engagement was a whitebox pentest performed by 7ASecurity auditors. During the process the Logback code and documentation was manually reviewed in order to create a detailed threat model that included a data flow diagram, threat actors, possible vulnerabilities and countermeasures, and recommendations for defence against those specific attacks. Additionally, the team scored the project on the SLSA framework to evaluate the project’s supply chain security.
Audit Results:
- 5 Findings with Security Impact
- 1 Critical, 1 Medium, 1 Low- all 3 have verified fixes in place at time of publication
- 2 Informational
- Custom Threat Model
- Supply-chain Levels for Software Artifacts (SLSA) Analysis
The maintainer of this project was remarkably responsive during this audit and in the submission of fixes for the reported findings. This attention to security reflects well on both him and the project and is evident in other aspects of the project. The audit report mentions several positive points around the project including the documentation, security reporting practices, code quality, and reproducible builds. Having undertaken this security audit, the project adds more security documentation to that list as well as the improvement of fixed vulnerabilities.
Thank you to the individuals and groups that made this engagement possible:
- Logback maintainers and community, notably: Ceki Gülcü
- The Open Source Technology Improvement Fund (OSTIF)
- The Sovereign Tech Agency for sponsoring this project
You can read the Audit Report Click to explore
You can read OSTIF’s Blog Click to explore
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact amir@ostif.org.