Log4j library : WEB_INF/lib/log4j1.2.17

[Nikita Maldhure]

Hello Team

I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.

Path where this log4j is reported is : 

/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar

May I know if this would be removed from the WEB_INF/lib in the future releases.

Is there any ETA of remediation of EOL log4j libraries within? 

Thanks,

Nikita Maldhure

+91 9004533629

[Sven Selberg]

On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:

Hello Team

I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.

Path where this log4j is reported is : 

/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar

I'm guessing this is a leftover from a previous deployment of Gerrit  on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).

Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,

[Matthias Sohn]

On Thu, May 5, 2022 at 8:56 AM Sven Selberg <sven.s...@axis.com> wrote:

On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:

Hello Team

I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.

Path where this log4j is reported is : 

/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar

I'm guessing this is a leftover from a previous deployment of Gerrit  on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).

Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,

CVE-2021-44228 [1] was published on Dec 10, 2021 after Gerrit 3.5.0.1 was released on Dec 7, 2021.

Gerrit 3.5.0.1 contains 

./WEB-INF/lib/log4j-1.2.17.jar

./WEB-INF/lib/slf4j-log4j12-1.7.26.jar

You need to upgrade to Gerrit 3.5.1 which fixes this CVE by updating the used logging implementation to reload4j [2]

./WEB-INF/lib/reload4j-1.2.19.jar
./WEB-INF/lib/slf4j-reload4j-1.7.36.jar

In order to benefit from the latest security patches ensure to always update to the latest patch release of the

gerrit version you are using [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228

[2] https://reload4j.qos.ch/

[3] https://www.gerritcodereview.com/support.html

     https://www.gerritcodereview.com/releases-readme.html

-Matthias 

May I know if this would be removed from the WEB_INF/lib in the future releases.

Is there any ETA of remediation of EOL log4j libraries within? 

Thanks,

Nikita Maldhure

+91 9004533629

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/e6bb479b-429e-4096-a503-65c9525fc8b4n%40googlegroups.com.

[Sven Selberg]

On Thursday, May 5, 2022 at 9:38:19 AM UTC+2 Matthias Sohn wrote:

On Thu, May 5, 2022 at 8:56 AM Sven Selberg <sven.s...@axis.com> wrote:

On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:

Hello Team

I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.

Path where this log4j is reported is : 

/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar

I'm guessing this is a leftover from a previous deployment of Gerrit  on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).

Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,

CVE-2021-44228 [1] was published on Dec 10, 2021 after Gerrit 3.5.0.1 was released on Dec 7, 2021.

Sorry, I read 3.5.0.1 as 3.5.1, my bad.