ForNeVeR
commented
2 years ago These versions are not vulnerable to the log4shell vulnerability?
Not according to the available data on the CVE. Only log4j version 2 is affected.
Closed bbsdddougla closed 2 years ago
ForNeVeR
commented
2 years ago These versions are not vulnerable to the log4shell vulnerability?
Not according to the available data on the CVE. Only log4j version 2 is affected.
cypherfunc
commented
2 years ago I know @bbsdddougla already mentioned this, but @ForNeVeR can you speak specifically to whether the plugin (or TEE_CLC) is vulnerable to https://access.redhat.com/security/cve/CVE-2021-4104? It is limited to specific configurations, but I'm not a Java person, so I have no idea where to find the config information.
The scanner available at https://github.com/Qualys/log4jscanwin flags both plugins\\com.microsoft.vso.idea\\backend\\lib\\com.microsoft.tfs.sdk-14.135.2.jar, and TEE-CLC-14.135.3\\lib\\log4j-1.2.14.jar as "Potentially Vulnerable ( CVE-2021-4104: Found )"
ForNeVeR
commented
2 years ago @cypherfunc, neither azure-devops-intellij nor any iteration of team-explorer-everywhere (Microsoft upstream or JetBrains fork) uses the JMSAppender.
bbsdddougla
commented
2 years ago I think @ForNeVeR has definitively answered this.
cypherfunc
commented
2 years ago Awesome, thanks!
Scanning the deployed plugin with the lunasec log4shell tool flags this plugin as dependent on Log4j 1.2.13-1.2.14. https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#automatically-scanning-your-package
These versions are not vulnerable to the log4shell vulnerability? https://www.randori.com/blog/cve-2021-44228/ Is there a chance of the library being exploited as per this CVE? https://access.redhat.com/security/cve/CVE-2021-4104
I believe the mitigation for the library is to upgrade to Log4j 2.16.0?