Log4Shell vulnerability and Sophora

Is Sophora affected by Log4j vulnerability?

This article answers the most important questions about Sophora and the Log4j vulnerability.

Old versions of Log4j enable attacks on servers
Old versions of Log4j enable attacks on servers (Image: Markus Spiske via Unsplash)

As you may have read in the press, a critical vulnerability in Log4Shell of the Java library Log4j was revealed on December 10, 2021 - see the corresponding messages of the CISA (Cybersecurity and Infrastructure Security Agency): CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

Sophora products are not effected

The affected library is log4j-core-2.X.Y.jar in all versions between 2.0.0 and 2.17.0.... log4j 1.x has limited vulnerability. According to our analysis, Sophora products are not affected.

All Sophora products use the Logback and Slf4j libraries for logging. We do not use log4j. Also, the Solr search engine embedded in the Sophora server does not contain the critical log4j library. We are looking deeper into this, but for now we can give the all-clear for Sophora.

The following libraries, some of which are used in Sophora products, do not contain the problem: log4j-api, log4j-to-slf4j, log4j-over-slf4j. These libraries are adapters to redirect logging from libraries that actually expect to use log4j to Slf4j and Logback, respectively. The problematic code is not included in these adapters.

Recommendation: Check your custom apps

Important: Even if Sophora is not directly affected, we strongly advise you to carefully check your Sophora web apps and other products where you use Sophora, to see if log4j-core is in use. This is due to the fact that in customer projects, a number of project-specific libraries are usually in use as well, some of which might have (indirectly) included log4j-core.

For example, in Java Maven projects, you can do a check with:

  mvn dependency:list | grep log4j-core

Which libs are vulnerable?

tl;dr: 2.0 <= log4j-core < 2.17.0

See https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes

log4j 1.x?

Since log4j-1.x has been "End-of-Life" (EOL) for some time, you should definitely update affected applications to a log4j version 2.17.x. From https://logging.apache.org/log4j/2.x/security.html:

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

log4j 1.x seems to be vulnerable in a limited way: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

Which libs are not vulnerable?

  • logback
  • slf4j
  • log4j-api
  • log4j-to-slf4j
  • log4j-over-slf4j

How can I check if a project is affected?

  • With mvn dependency:tree | grep log4j you can check in Maven if there is a dependency to an affected log4j-core version.
  • Syft can also be used to check if there is a dependency to an affected log4j-core version, also on Docker images etc.
  • Check official sources for dependent services for a particular project (for example, a Java-based database) to see if these services are affected, and, if so, in which versions.

Updates to this article

12/22/2021: In a previous version of this article, we recommended upgrading log4j-core to at least 2.15.x for custom projects that use log4j-core. In light of CVE-2021-45046 and CVE-2021-45105, we have corrected this recommendation to 2.17.x. Sophora itself is still not affected.

Team subshell
Team subshell
12/14/21
Icon