Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.Path where this log4j is reported is :/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar
On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.Path where this log4j is reported is :/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jarI'm guessing this is a leftover from a previous deployment of Gerrit on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,
May I know if this would be removed from the WEB_INF/lib in the future releases.Is there any ETA of remediation of EOL log4j libraries within?Thanks,Nikita Maldhure
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/e6bb479b-429e-4096-a503-65c9525fc8b4n%40googlegroups.com.
On Thu, May 5, 2022 at 8:56 AM Sven Selberg <sven.s...@axis.com> wrote:On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.Path where this log4j is reported is :/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jarI'm guessing this is a leftover from a previous deployment of Gerrit on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,CVE-2021-44228 [1] was published on Dec 10, 2021 after Gerrit 3.5.0.1 was released on Dec 7, 2021.