Skyve - The Low Code Open Source Enterprise Platform

View Original

Log4Shell critical log4j vulnerability

With a CVSS score of 10, CVE-2021-44228 is a critical zero-day vulnerability in the Apache Log4j logging library. The vulnerability affects Apache Log4j versions 2.0-beta9 to 2.14.1, and affected versions can allow a remote attacker to send malicious payloads to execute arbitrary code on a server via a JNDI lookup.

The log4j logging library is in use by many open source frameworks, and we are evaluating whether the Skyve platform depends on any of those.

We do not believe Skyve is affected as it does not make use of any version of log4j 2, and we have recorded evidence of the pre-configured Skyve security rejecting malicious URLs.

We will provide an update when we have completed our investigation.

Update 21-Dec-2021

We have completed our analysis of Skyve applications going back to Skyve 3.0 and found no use of log4j-core present in the dependency tree. We’ve attempted to penetrate existing production Skyve applications using tools available such as https://log4shell.huntress.com/ and found no presence of the vulnerability.

Skyve did include log4j version 1.2 which is affected by another vulnerability, CVE-2021-4104, but this requires an attacker to have write access to your log4j configuration. As a precautionary measure, we have released Skyve 8.0.1 which removes log4j entirely. This is a recommended upgrade for all Skyve applications with log4shell gaining global notoriety and new patches immediately finding additional problems.

Skyve-bus 1.3.7 has been released which also used log4j version 1.2 and is a recommended upgrade for all users of any version of skyve-bus.

WildFly application server, used to run Skyve applications in development and production, does not depend on the Log4j 2 log4j-core library and so are also not affected by CVE-2021-44228. Please see the post on the Wildfly blog for their analysis of the vulnerability.