Regarding the log4j vulnerability

163 views
Skip to first unread message

Aravind SV

unread,
Dec 13, 2021, 7:53:59 AM12/13/21
to go-cd
Hello,

Just a quick note to say that there is a discussion happening around the log4j vulnerability and GoCD here.

The current understanding is that GoCD (by itself) isn't vulnerable, since it doesn't use log4j directly. There is a TFS dependency which uses log4j, but it had been made to use log4j-over-slf4j and then logback from there -- and so, shouldn't be vulnerable.

If things change, and more information is found, it might be in that discussion page instead of here.

Cheers,
Aravind

Aravind SV

unread,
Dec 13, 2021, 7:55:03 AM12/13/21
to go-cd
Ha. As I write this ... someone seems to have brought this up. Please watch this or the discussion for updates.

Pranav Joshi

unread,
Dec 13, 2021, 7:58:29 AM12/13/21
to go-cd
Hey Aravind,
We found this article http://slf4j.org/log4shell.html :

The SLF4J API is just an API which lets message data go through. As such, using log4j 2.x even via SLF4J does not mitigate the vulnerability.

However, as mentioned previously, log4j 1.x is safe with respect to CVE-2021-44228. Thus, if your SLF4J provider/binding is slf4j-logj12.jar, you are safe regarding CVE-2021-44228.

If you are using log4j-over-slf4j.jar with SLF4J API, you are safe unless the underlying implementation is log4j 2.x.

Aravind SV

unread,
Dec 13, 2021, 8:02:25 AM12/13/21
to go...@googlegroups.com
Hello Pranav,

GoCD's underlying log implementation for slf4j is logback, and not log4j. Have you been able to exploit this? That would be strange because there is no log4j JAR bundled with GoCD at all.

However, we will check again and wait for your response (to the question about the exploit).

Cheers,
Aravind


--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/a1cc672b-e9d5-4496-86c6-35b173cba8dcn%40googlegroups.com.

Pranav Joshi

unread,
Dec 13, 2021, 8:31:45 AM12/13/21
to go-cd
Thanks for the information Aravind. Can you confirm whether GoCD Version: 20.6.0 (12005-12860aac6351e2a353728c7d7913f34d741c63e0) is vulnerable with log4j ?

Aravind SV

unread,
Dec 13, 2021, 9:02:44 AM12/13/21
to Pranav Joshi, go-cd

Hello Pranav,

No, I can’t confirm that, because I haven’t looked into any old versions. After 21.3.0 came out, it doesn’t make sense to be on any older version, since anything less than 21.2.0 was directly vulnerable in a very bad way.

My opinion is that 20.6.0 is not vulnerable to this, since the log4j v1 to slf4j + logback change was done in 2016, as mentioned in the GitHub discussion: https://github.com/gocd/gocd/discussions/9931

Regards,
Aravind

Marques Lee

unread,
Dec 14, 2021, 12:28:04 PM12/14/21
to go...@googlegroups.com, Pranav Joshi
Also, log4j 1.x is not vulnerable to Log4Shell. It has other serious vulnerabilities though, but not this critical one. Log4Shell only affects log4j2.

-Marques

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/m2v8zsa9hd.fsf%40arvindsv.com.
Reply all
Reply to author
Forward
0 new messages