IMPORTANT: Oracle Security Alert - CVE-2021-44228 for log4j v. 2.0 - 2.14.1

[Kiran Shinde]

Hi All,

I just wanted to check if any version of Gerrit is affected by this security vulnerability?

This seems like a very critical issue since it can be exploited remotely without authentication.

https://www.oracle.com/security-alerts/cve-2021-44228verbose.html#3RD?source=:em:eo:ie:cpo:::RC_WWMK210714P00017:SEV400208211

Best Regards,

Kiran

[Matthias Sohn]

Gerrit still uses log4j 1.2.17 [1], this means it's not affected

[1] https://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.5/WORKSPACE#278

[Kiran Shinde]

Thank you very much for your reply Matthias.

I was also looking at the Log4j 1 and it seems there is also a similar security vulnerability.

https://logging.apache.org/log4j/1.2/

Security Vulnerabilities

A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

Are there any plans to update Log4j to a secure version?

Best Regards,

Kiran

[Luca Milanesio]

On 11 Dec 2021, at 15:52, Kiran Shinde <kkiran...@gmail.com> wrote:

Thank you very much for your reply Matthias.

I was also looking at the Log4j 1 and it seems there is also a similar security vulnerability.

https://logging.apache.org/log4j/1.2/

Security Vulnerabilities

A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.

Can you clarify how you envisage the above to affect Gerrit?

Bear in mind that with Gerrit, the Log4J configuration is generated internally and we don’t use a SocketAppender, which is the one that is exposing the vulnerability you’re mentioning.

Are you explicitly using it in your Gerrit setup by using a custom log4j properties?

Luca

Are there any plans to update Log4j to a secure version?

Best Regards,

Kiran

On Saturday, 11 December 2021 at 16:18:43 UTC+1 Matthias Sohn wrote:

On Sat, Dec 11, 2021 at 3:49 PM Kiran Shinde <kkiran...@gmail.com> wrote:

Hi All,

I just wanted to check if any version of Gerrit is affected by this security vulnerability?

This seems like a very critical issue since it can be exploited remotely without authentication.

https://www.oracle.com/security-alerts/cve-2021-44228verbose.html#3RD?source=:em:eo:ie:cpo:::RC_WWMK210714P00017:SEV400208211

Gerrit still uses log4j 1.2.17 [1], this means it's not affected

[1] https://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.5/WORKSPACE#278

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/4db60454-49fb-4c9f-8958-cecb5d118fcan%40googlegroups.com.

[Kiran Shinde]

Hi Luca,

Thank you for the clarification.

With everything going around with the Log4j vulnerability, just wanted to be sure that Gerrit is not affected.

Since we do are not using custom log4j properties, I can assume our Gerrit is not affected.

Best Regards,

Kiran

[Adam Romanek]

Hi all,

Me, probably just like many other Gerrit admins, are interested in knowing whether Gerrit core or any of its plugins are affected by this particular security issue.

Given the severity of this CVE, it would be good to have a clear statement from Gerrit maintainers.

See for example the approach from Jenkins team - they created a blog page [1] and a Jira ticket [2] to track and share any information on this subject with Jenkins community.

[1] https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/

[2] https://issues.jenkins.io/browse/JENKINS-67353

Best regards,

Adam Romanek

[Luca Milanesio]

On 13 Dec 2021, at 11:32, Adam Romanek <romane...@gmail.com> wrote:

Hi all,

Me, probably just like many other Gerrit admins, are interested in knowing whether Gerrit core or any of its plugins are affected by this particular security issue.

Given the severity of this CVE, it would be good to have a clear statement from Gerrit maintainers.

I believe Matthias mentioned in this thread:

Gerrit still uses log4j 1.2.17 [1], this means it's not affected

[1] https://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.5/WORKSPACE#278

The above looks like a clear statement and Matthias Sohn is a Gerrit maintainer.

See for example the approach from Jenkins team - they created a blog page [1] and a Jira ticket [2] to track and share any information on this subject with Jenkins community.

[1] https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/

[2] https://issues.jenkins.io/browse/JENKINS-67353

An issue has been created and, if you like, we could put Matthias’s statement in a blog-post, would that help?

Luca.

[Luca Milanesio]

See the blog-post at [3] and the issue at [4]. Does that help?

Luca.

[3] https://gerrit-review.googlesource.com/c/homepage/+/326212

[4] https://bugs.chromium.org/p/gerrit/issues/detail?id=15414&q=log4j&can=1

Luca.

[Adam Romanek]

On Monday, December 13, 2021 at 2:03:54 PM UTC+1 lucamilanesio wrote:

See the blog-post at [3] and the issue at [4]. Does that help?

Luca.

[3] https://gerrit-review.googlesource.com/c/homepage/+/326212

[4] https://bugs.chromium.org/p/gerrit/issues/detail?id=15414&q=log4j&can=1

Yes, thank you! This definitely helps. I guess the official link to the statement is: https://www.gerritcodereview.com/2021-12-13-log4j-statement.html

Just to be on the safe side - is there any chance that any Gerrit plugins use the affected log4j 2.x?

BR,

Adam

[luca.mi...@gmail.com]

Sent from my iPhone

On 13 Dec 2021, at 15:15, Adam Romanek <romane...@gmail.com> wrote:



Not the core plugins.

However, the Log4j dependency is implied by the in-tree plugin build. Other plugins may have a different build process, you should the ones you are using if they do.

Luca

BR,

Adam

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/93d17fbd-d42b-49f0-8ca9-bad57e1b7373n%40googlegroups.com.