Log4j library : WEB_INF/lib/log4j1.2.17
79 views
Skip to first unread message
Nikita Maldhure
May 5, 2022, 12:33:44 AM5/5/22
to Repo and Gerrit Discussion
Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.
Path where this log4j is reported is :
/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar
May I know if this would be removed from the WEB_INF/lib in the future releases.
Is there any ETA of remediation of EOL log4j
libraries within?
Thanks,
Nikita Maldhure
Sven Selberg
May 5, 2022, 2:56:52 AM5/5/22
to Repo and Gerrit Discussion
On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:
Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.Path where this log4j is reported is :/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jar
I'm guessing this is a leftover from a previous deployment of Gerrit on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).
Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,
Matthias Sohn
May 5, 2022, 3:38:19 AM5/5/22
to Sven Selberg, Repo and Gerrit Discussion
On Thu, May 5, 2022 at 8:56 AM Sven Selberg <sven.s...@axis.com> wrote:
On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.Path where this log4j is reported is :/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jarI'm guessing this is a leftover from a previous deployment of Gerrit on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,
CVE-2021-44228 [1] was published on Dec 10, 2021 after Gerrit 3.5.0.1 was released on Dec 7, 2021.
Gerrit 3.5.0.1 contains
./WEB-INF/lib/log4j-1.2.17.jar
./WEB-INF/lib/slf4j-log4j12-1.7.26.jar
You need to upgrade to Gerrit 3.5.1 which fixes this CVE by updating the used logging implementation to reload4j [2]
./WEB-INF/lib/reload4j-1.2.19.jar
./WEB-INF/lib/slf4j-reload4j-1.7.36.jar
./WEB-INF/lib/slf4j-reload4j-1.7.36.jar
In order to benefit from the latest security patches ensure to always update to the latest patch release of the
gerrit version you are using [3].
-Matthias
May I know if this would be removed from the WEB_INF/lib in the future releases.Is there any ETA of remediation of EOL log4j libraries within?Thanks,Nikita Maldhure
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/e6bb479b-429e-4096-a503-65c9525fc8b4n%40googlegroups.com.
Sven Selberg
May 5, 2022, 3:58:21 AM5/5/22
to Repo and Gerrit Discussion
On Thursday, May 5, 2022 at 9:38:19 AM UTC+2 Matthias Sohn wrote:
On Thu, May 5, 2022 at 8:56 AM Sven Selberg <sven.s...@axis.com> wrote:On Thursday, May 5, 2022 at 6:33:44 AM UTC+2 nikitaw...@gmail.com wrote:Hello Team
I downloaded the latest version of Gerrit 3.5.0.1, looks like it has log4j 1.2.17 version included in WEB_INF/lib. As Gerrit's launcher unpacks the WEB-INF/lib directory to a tmp directory on startup, hence our security tools (Qualys) reports the log4j issue as it is vulnerable to CVE-2021-44228. As per Apache logging website, Log4j 1.x has reached End of Life in 2015 and is no longer supported.Path where this log4j is reported is :/root/.gerritcodereview/tmp/gerrit_XXXXXX/log4j1.2.17.jarI'm guessing this is a leftover from a previous deployment of Gerrit on the server.
If you check the /root/.gerritcodereview/tmp/ directory you'll most likely find (at least) one gerrit_XXXXXX directory that is more recent (and in use).Since it is a temporary directory you can remove it before deployment to double-check that the 3.5.0 release doesn't contain log4j,CVE-2021-44228 [1] was published on Dec 10, 2021 after Gerrit 3.5.0.1 was released on Dec 7, 2021.
Sorry, I read 3.5.0.1 as 3.5.1, my bad.
Reply all
Reply to author
Forward
0 new messages