Skip to main content

vulnerability Output Best Practice

This is an example of vulnerability analysis output generated in 05 Tools Chapter. You can check actual output examples based on sample projects (including java-vulnerable, Log4Shell CVE-2021-44228).

vulnerability analysis report

generating agent: 05-vulnerability-analyst | Save Path: output/vulnerability/cve-report.md

Report Type: vulnerability Analysis Creation Date: YYYY-MM-DD Target project: your-project Tools used: OSV API

1. Summary

  • SBOM Analysis object: your-project.cdx.json (CycloneDX)
  • A total of 5 vulnerabilities discovered — 🔴 2 Critical, 🟠 High 1, 🟡 Medium 2
  • Immediate action required Critical vulnerabilities (CVE-2021-44228, CVE-2021-45046) confirmed in log4j-core 2.14.1
  • Recommended Action: Immediately upgrade log4j-core and log4j-api to 2.17.1 or later

2. vulnerability details

componentversionCVECVSSSeverityDescriptionmodified version
log4j-core2.14.1CVE-2021-4422810.0🔴 CriticalLog4Shell: Remote Code Execution (RCE) via JNDI2.15.0+
log4j-core2.14.1CVE-2021-450469.0🔴 Critical2.15.0 Patch incomplete — bypassable in non-default settings2.16.0+
log4j-core2.14.1CVE-2021-451057.5🟠 HighDoS due to Thread Context Map self-reference2.17.0+
log4j-core2.14.1CVE-2021-448326.6🟡 MediumRCE is possible if you have permission to modify logging settings2.17.1+
log4j-core2.14.1CVE-2025-681615.4🟡 MediumSocket Appender TLS host name verification not performed2.25.3+

3. Measures

Immediate action (Critical — within 24 hours)

Upgrade to log4j-core 2.17.1 or higher — All Critical/High vulnerabilities resolved simultaneously

<!-- pom.xml -->
<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.17.1</version>
</dependency>

ISO/IEC 18974 §4.3.2 Criteria — Known vulnerability Identification, CVE Risk Scoring (CVSS), vulnerability Tracking and Health Management

vulnerability Response Plan (Remediation Plan)

generating agent: 05-vulnerability-analyst | Save Path: output/vulnerability/remediation-plan.md

Report Type: vulnerability Response Plan Creation date: YYYY-MM-DD Target project: your-project

outline

ItemContent
Response StandardsISO/IEC 18974 §4.3.2
Total number of vulnerabilities5 (Critical 2, High 1, Medium 2)
Subject to immediate actionCVE-2021-44228, CVE-2021-45046

Step-by-step response plan

Phase 1 — Immediate action (Critical, within 24 hours)

  1. Remove JndiLookup class (emergency mitigation before upgrade)
  2. Upgrade to log4j-core 2.17.1
  3. Build and run regression tests
  4. Investigation of infringement history (search for ${jndi: pattern in logs)

Phase 2 — Short-term action (High, within 7 days)

workContact personDeadline
Complete survey of operating server log4j versionsInfrastructure ManagerD+2
Apply patches to all operating environmentsInfrastructure ManagerD+4
Run full regression testQA ManagerD+6
Create a patch completion reportSecurity ManagerD+7

Phase 3 — Medium-term measures (Medium, within 30 days)

workDetails
Latest version upgrade evaluationCheck API compatibility, verify test environment
CI/CD vulnerability Scan IntegrationAdd Trivy or OWASP Dependency-Check Pipeline
SBOM Auto-generated integrationAutomatic SBOM updates and vulnerability notifications when building

vulnerability status tracking

CVESeverityCurrent statusGoal StatusContact person
CVE-2021-44228🔴 CriticalNo actionresolveSecurity Manager
CVE-2021-45046🔴 CriticalNo actionresolveSecurity Manager
CVE-2021-45105🟠 HighNo actionresolveInfrastructure Manager
CVE-2021-44832🟡 MediumNo actionresolveDevelopment Manager
CVE-2025-68161🟡 MediumNo actionresolveDevelopment Manager

How ​​to update status: After applying the patch, update to “No action” → “Resolved (YYYY-MM-DD)”

Measures to prevent recurrence

cyclework
At every buildAutomatically scan for vulnerabilities in CI/CD
monthlyCheck SBOM renewal and new CVE
branchDependency Full Upgrade Review
AnnualFull review of vulnerability management process

This document is an official vulnerability response plan created to fulfill ISO/IEC 18974 §4.3.2 requirements.