Log4Shell vulnerability and Sophora
This article answers the most important questions about Sophora and the Log4j vulnerability.
As you may have read in the press, a critical vulnerability in Log4Shell of the Java library Log4j was revealed on December 10, 2021 - see the corresponding messages of the CISA (Cybersecurity and Infrastructure Security Agency): CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
The affected library is log4j-core-2.X.Y.jar in all versions between 2.0.0 and 2.17.0.... log4j 1.x has limited vulnerability. According to our analysis, Sophora products are not affected.
All Sophora products use the Logback and Slf4j libraries for logging. We do not use log4j. Also, the Solr search engine embedded in the Sophora server does not contain the critical log4j library. We are looking deeper into this, but for now we can give the all-clear for Sophora.
The following libraries, some of which are used in Sophora products, do not contain the problem: log4j-api, log4j-to-slf4j, log4j-over-slf4j. These libraries are adapters to redirect logging from libraries that actually expect to use log4j to Slf4j and Logback, respectively. The problematic code is not included in these adapters.
Important: Even if Sophora is not directly affected, we strongly advise you to carefully check your Sophora web apps and other products where you use Sophora, to see if log4j-core is in use. This is due to the fact that in customer projects, a number of project-specific libraries are usually in use as well, some of which might have (indirectly) included log4j-core.
For example, in Java Maven projects, you can do a check with:
mvn dependency:list | grep log4j-core
tl;dr: 2.0 <= log4j-core < 2.17.0
Since log4j-1.x has been "End-of-Life" (EOL) for some time, you should definitely update affected applications to a log4j version 2.17.x. From https://logging.apache.org/log4j/2.x/security.html:
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
log4j 1.x seems to be vulnerable in a limited way: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
mvn dependency:tree | grep log4jyou can check in Maven if there is a dependency to an affected log4j-core version.
12/22/2021: In a previous version of this article, we recommended upgrading
log4j-core to at least 2.15.x for custom projects that use
log4j-core. In light of CVE-2021-45046 and CVE-2021-45105, we have corrected this recommendation to 2.17.x. Sophora itself is still not affected.