Also, log4j 1.x is not vulnerable to Log4Shell. It has other serious vulnerabilities though, but not this critical one. Log4Shell only affects log4j2.
-Marques On Mon, Dec 13, 2021 at 6:02 AM Aravind SV <[email protected]> wrote: > Hello Pranav, > > No, I can’t confirm that, because I haven’t looked into any old versions. > After 21.3.0 came out, it doesn’t make sense to be on any older version, > since anything less than 21.2.0 was directly vulnerable in a very bad way. > > My *opinion* is that 20.6.0 is not vulnerable to this, since the log4j v1 > to slf4j + logback change was done in 2016, as mentioned in the GitHub > discussion: https://github.com/gocd/gocd/discussions/9931 > > Regards, > Aravind > > * From*: Pranav Joshi <pranav+joshi+%[email protected]%3E> > * Subject*: Re: [go-cd] Re: Regarding the log4j vulnerability > * To*: go-cd <go-cd+%[email protected]%3E> > * Date*: Mon, 13 Dec 2021 05:31:45 -0800 (PST) > Thanks for the information Aravind. Can you confirm whether GoCD Version: > 20.6.0 (12005-12860aac6351e2a353728c7d7913f34d741c63e0) is vulnerable with > log4j ? > > On Monday, December 13, 2021 at 6:32:25 PM UTC+5:30 Aravind SV wrote: > >> Hello Pranav, >> >> GoCD's underlying log implementation for slf4j is logback, and not log4j. >> Have you been able to *exploit* this? That would be strange because >> there is no log4j JAR bundled with GoCD at all. >> >> However, we will check again and wait for your response (to the question >> about the exploit). >> >> Cheers, >> Aravind >> >> >> On Mon, Dec 13, 2021 at 12:58 PM Pranav Joshi <[email protected]> >> wrote: >> >>> Hey Aravind, >>> We found this article http://slf4j.org/log4shell.html : >>> >>> The SLF4J API is just an API which lets message data go through. As >>> such, using log4j 2.x even via SLF4J does not mitigate the vulnerability. >>> >>> However, as mentioned previously, log4j 1.x is safe with respect to >>> CVE-2021-44228. Thus, if your SLF4J provider/binding is >>> *slf4j-logj12.jar*, you are safe regarding CVE-2021-44228. >>> >>> If you are using *log4j-over-slf4j.jar* with SLF4J API, you are safe >>> unless the underlying implementation is log4j 2.x. >>> >>> On Monday, December 13, 2021 at 6:25:03 PM UTC+5:30 Aravind SV wrote: >>> >>>> Ha. As I write this ... someone seems to have brought this up. Please >>>> watch this or the discussion for updates. >>>> >>>> On Mon, Dec 13, 2021 at 12:53 PM Aravind SV <[email protected]> >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> Just a quick note to say that there is a discussion happening around >>>>> the log4j vulnerability and GoCD here >>>>> <https://github.com/gocd/gocd/discussions/9931>. >>>>> >>>>> The current understanding is that GoCD (by itself) isn't vulnerable, >>>>> since it doesn't use log4j directly. There is a TFS dependency which uses >>>>> log4j, but it had been made to use log4j-over-slf4j and then logback from >>>>> there -- and so, *shouldn't* be vulnerable. >>>>> >>>>> If things change, and more information is found, it might be in that >>>>> discussion page instead of here. >>>>> >>>>> Cheers, >>>>> Aravind >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "go-cd" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/go-cd/a1cc672b-e9d5-4496-86c6-35b173cba8dcn%40googlegroups.com >>> <https://groups.google.com/d/msgid/go-cd/a1cc672b-e9d5-4496-86c6-35b173cba8dcn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/go-cd/a82cca04-8737-443d-a679-f3d51f054258n%40googlegroups.com > <https://groups.google.com/d/msgid/go-cd/a82cca04-8737-443d-a679-f3d51f054258n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/go-cd/m2v8zsa9hd.fsf%40arvindsv.com > <https://groups.google.com/d/msgid/go-cd/m2v8zsa9hd.fsf%40arvindsv.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAPKX9jbc%2BH%3DHbRDDxXrgOxRojp3p%2BfZNtNovkSPW4ThL60bw0Q%40mail.gmail.com.
