log4j Zero-Day Vulnerability CVE-2021-44228

[piradix]

Can you upgrade log4j to version > 2.15, because all version under 2.15 are Zero-Day Vulnerability see "CVE-2021-44228" : https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/

thank's

very good product ;-)

[flaix]

Hi pradix!

Gitblit is not affected by Log4Shell. Not all versions of log4j under 2.15 are vulnerable, but all versions between 2.0-beta9 and 2.16. Gitblit uses version 1.2.17 which is not affected. See also #1403

[piradix]

The version 1.2.x is affected see https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

section "Contournement provisoire" :

La version 1 de log4j a été initialement déclarée vulnérable cependant la vulnérabilité n'existe que si le composant JMS Appender est configuré pour prendre en compte JNDI. Il s'agit donc d'une configuration très spécifique [1].

Il est recommandé d'utiliser une version à jour de l'environnement d'exécution Java (les versions 8u191 et ultérieures apportent des restrictions pour les appels JNDI basés sur LDAP et RMI), cependant les codes d'exploitation les plus récents sont en mesure de contourner ces protections pour continuer d'exploiter la vulnérabilité.

in english :

Version 1 of log4j was initially declared vulnerable however the vulnerability only exists if the JMS Appender component is configured to take JNDI into account. It is therefore a very specific configuration [1].

It is recommended that you use an up-to-date version of the Java Runtime Environment (versions 8u191 and later have restrictions for LDAP and RMI based JNDI calls), however the most recent exploit codes may to bypass these protections to continue exploiting the vulnerability.

[flaix]

Please allow me to again refer you to discussion item #1403 for details and why Gitblit is not affected. There is no need for an upgrade of log4j and we have no plans to update log4j now in the 1.9 line.

[piradix]

All right, the explanation are explicit in #1403 thanks