log4j madness
34 views
Skip to first unread message
Ralph Lessmann
Dec 17, 2021, 5:32:18 AM12/17/21
to gitblit
hello,
I know it's bothering, but does GitBlit uses log4j and if so, can that be changed?
Thanks
Matthias Sohn
Dec 17, 2021, 6:46:59 AM12/17/21
to git...@googlegroups.com
On Fri, Dec 17, 2021 at 11:32 AM 'Ralph Lessmann' via gitblit <git...@googlegroups.com> wrote:
hello,I know it's bothering, but does GitBlit uses log4j and if so, can that be changed?
it seems to use log4j 1.2.17
Thanks--
You received this message because you are subscribed to the Google Groups "gitblit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gitblit/85177013-88ed-4d02-8387-1a181273c68bn%40googlegroups.com.
Florian Zschocke
Dec 18, 2021, 10:20:16 AM12/18/21
to gitblit
Hi!
Gitblit uses log4j version 1.2.17. This version is not affected by Log4Shell.
To reach the same exploit effect with log4j 1.x a specific custom logging configuration is needed, making use of JMSAppender. Gitblit does not do this in its default configuration.
Thus, Gitblit is not affected by Log4Shell.
If you had altered the logging configuration of your installation in an exploitable way, then you would need to fix that. Otherwise you are okay. You should make sure, though, that your installation is protected against others writing or adding configuration files.
Here some links with background information, why we say that Gitblit is not affected.
Ralph Lessmann
Dec 19, 2021, 8:51:54 AM12/19/21
to gitblit
Many thanks for the comprehensive explanation. This is very helpful indeed.
Ralph
Reply all
Reply to author
Forward
0 new messages