Thanks for the information Aravind. Can you confirm whether GoCD Version: 20.6.0 (12005-12860aac6351e2a353728c7d7913f34d741c63e0) is vulnerable with log4j ?
On Monday, December 13, 2021 at 6:32:25 PM UTC+5:30 Aravind SV wrote: > Hello Pranav, > > GoCD's underlying log implementation for slf4j is logback, and not log4j. > Have you been able to *exploit* this? That would be strange because there > is no log4j JAR bundled with GoCD at all. > > However, we will check again and wait for your response (to the question > about the exploit). > > Cheers, > Aravind > > > On Mon, Dec 13, 2021 at 12:58 PM Pranav Joshi <[email protected]> > wrote: > >> Hey Aravind, >> We found this article http://slf4j.org/log4shell.html : >> >> The SLF4J API is just an API which lets message data go through. As such, >> using log4j 2.x even via SLF4J does not mitigate the vulnerability. >> >> However, as mentioned previously, log4j 1.x is safe with respect to >> CVE-2021-44228. Thus, if your SLF4J provider/binding is >> *slf4j-logj12.jar*, you are safe regarding CVE-2021-44228. >> >> If you are using *log4j-over-slf4j.jar* with SLF4J API, you are safe >> unless the underlying implementation is log4j 2.x. >> >> On Monday, December 13, 2021 at 6:25:03 PM UTC+5:30 Aravind SV wrote: >> >>> Ha. As I write this ... someone seems to have brought this up. Please >>> watch this or the discussion for updates. >>> >>> On Mon, Dec 13, 2021 at 12:53 PM Aravind SV <[email protected]> >>> wrote: >>> >>>> Hello, >>>> >>>> Just a quick note to say that there is a discussion happening around >>>> the log4j vulnerability and GoCD here >>>> <https://github.com/gocd/gocd/discussions/9931>. >>>> >>>> The current understanding is that GoCD (by itself) isn't vulnerable, >>>> since it doesn't use log4j directly. There is a TFS dependency which uses >>>> log4j, but it had been made to use log4j-over-slf4j and then logback from >>>> there -- and so, *shouldn't* be vulnerable. >>>> >>>> If things change, and more information is found, it might be in that >>>> discussion page instead of here. >>>> >>>> Cheers, >>>> Aravind >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "go-cd" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/go-cd/a1cc672b-e9d5-4496-86c6-35b173cba8dcn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/go-cd/a1cc672b-e9d5-4496-86c6-35b173cba8dcn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/a82cca04-8737-443d-a679-f3d51f054258n%40googlegroups.com.
