Is there a log4j vulnerability in utPLSQL-cli?

utPLSQL / utPLSQL-cli

Command line client for invoking utPLSQL

Apache License 2.0

40 stars 15 forks source link

Is there a log4j vulnerability in utPLSQL-cli? #203

Closed drumbeg closed 2 years ago

drumbeg commented 2 years ago

The lib supplied with the latest release slf4j-api 1.7.26.jar allows a possibility of a log4j attack.

https://www.slf4j.org/log4shell.html

How is this being addressed?

pesse commented 2 years ago

Thanks for bringing this up. Will provide an update as soon as possible. However, in order to exploit Log4shell here, you'd need access to the database the cli is run against and create a test with a malicious name. Possible, but very unlikely.

drumbeg commented 2 years ago

Any update on the log4j issue?

jgebal commented 2 years ago

How would you see the log4j issue to be exploited in this software? We will definitely update the log4j library or remove it at some point when working on new features/bugfixes for cli. I'm not sure however if there is real value in fixing it by itself.

Does it block you in any way at the moment?