Closed k4nfr3 closed 2 years ago
I am running Gitblit version 1.9.1 on OpenJDK 1.8.0_275 and tried https://github.com/huntresslabs/log4shell-tester.
1.9.1 comes with log4j-1.2.17.jar and not log4j-core-*.jar.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
1.2.x "can" be exploitable ( https://www.openwall.com/lists/oss-security/2021/12/13/2 )
Could not exploit my server.
Hi!
As Bjarne said, Gitblit uses log4j 1.2.17. Log4j 1.x is not affected by Log4Shell. To reach a similar effect with log4j 1.2.x a distinctive custom configuration of log4j needs to be set up (via JMSAppender). Gitblit does not make use of that in it's configuration and is thus not affected.
If using Gitblit with its default settings, you will have no problem. Only if you have changed the log4j configuration in an exploitable way for your use case will you have to fix that. Also, you should protect your installation against attempts to deposit an exploitable log4j configuration file.
I am closing this is favour of #1403 for discussion.
great news. Many thanks for your quick reply :-) Much appreciated
Hello,
as it is using log4j library (if I'm not mistaken), is there a mitigation recommendation ?
kind regards k4nfr3