search

gitblit-org / gitblit

pure java git solution
http://gitblit.com
Apache License 2.0
2.28k stars 670 forks source link

Log4j vulnerability ? #1404

Closed k4nfr3 closed 2 years ago

k4nfr3 commented 2 years ago

Hello,

as it is using log4j library (if I'm not mistaken), is there a mitigation recommendation ?

kind regards k4nfr3

arnebjarne commented 2 years ago

I am running Gitblit version 1.9.1 on OpenJDK 1.8.0_275 and tried https://github.com/huntresslabs/log4shell-tester.

1.9.1 comes with log4j-1.2.17.jar and not log4j-core-*.jar.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

1.2.x "can" be exploitable ( https://www.openwall.com/lists/oss-security/2021/12/13/2 )

Could not exploit my server.

flaix commented 2 years ago

Hi!

As Bjarne said, Gitblit uses log4j 1.2.17. Log4j 1.x is not affected by Log4Shell. To reach a similar effect with log4j 1.2.x a distinctive custom configuration of log4j needs to be set up (via JMSAppender). Gitblit does not make use of that in it's configuration and is thus not affected.

If using Gitblit with its default settings, you will have no problem. Only if you have changed the log4j configuration in an exploitable way for your use case will you have to fix that. Also, you should protect your installation against attempts to deposit an exploitable log4j configuration file.

I am closing this is favour of #1403 for discussion.

k4nfr3 commented 2 years ago

great news. Many thanks for your quick reply :-) Much appreciated