Should we be worried: Apache log4j RCE 0-day exploit ?? #9931
Replies: 8 comments 12 replies
-
I believe we are fine, since GoCD uses logback as logging backend everywhere from what I can see. All log4j dependencies are bridged to slf4j and then go via logback as implementation.
|
Beta Was this translation helpful? Give feedback.
-
Agree. Looks fine. I'm surprised and relieved. :) |
Beta Was this translation helpful? Give feedback.
-
Just curious: "since GoCD uses logback as logging backend everywhere" Is that from a particular version or has this always been the case pls? |
Beta Was this translation helpful? Give feedback.
-
The relevant commit might be: f501efc [so, somewhere in the 16.x release]. The last commit which references The TFS SDK might be the one component which uses log4j. So, if you're using TFS, then this is something to keep an eye on. The JAR used is: |
Beta Was this translation helpful? Give feedback.
-
Related: https://groups.google.com/g/go-cd/c/zobQ24Oz8rM/m/3hjTUbuCCwAJ (A claim that GoCD 20.6.0 (and maybe 21.3.0) is vulnerable) Also, announcement sent to the GoCD mailing list pointing to this discussion: https://groups.google.com/g/go-cd/c/d-uA9v760Bg/m/VAWsMPCCCwAJ |
Beta Was this translation helpful? Give feedback.
-
I wasn't aware of this discussion prior to raising the issue here: #9934. Happy to have this closed off if we are certain the vulnerability does not directly affect GoCD. |
Beta Was this translation helpful? Give feedback.
-
I've used one of the scanning tools for log4j to look over the gocd jar files and the scanner found these 2 files: My java knowledge is not good enough to know if these are relevant here ╰─ ./log4shell scan ./gocd |
Beta Was this translation helpful? Give feedback.
-
@TimJDFletcher brought this to my notice just now: https://jira.qos.ch/browse/LOGBACK-1591 It's not clear if logback is impacted in any way, though. Meaning: There is JNDI lookup code, but it's not clear if it can get triggered unless the config is changed knowingly. But they do mention RCE ... As a precautionary meausure, logback is being upgraded (#9935). Can make a release once the pipelines finish, if it is clear it is necessary. |
Beta Was this translation helpful? Give feedback.
-
Link: https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
Beta Was this translation helpful? Give feedback.
All reactions