Summary
TL;DR: If you are a cloud customer of Uleska, you are not vulnerable to log4shell. If you are an on-premise customer of Uleska and are using OWASP ZAP, you must upgrade your running ZAP instance to at least 2.11.1.
Background
Since the log4shell vulnerability (CVE-2021-44228) was discovered last week, we have been ensuring our cloud platform and those of our on-premise customers are appropriately protected from any issues arising from it.
We are satisfied that the Uleska platform is not affected by this vulnerability.
This post will cover the parts of the Uleska system, including associated tools, that we have checked over during our review.
Authentication
For authentication, whether on-prem or in the cloud, we use Keycloak. Keycloak does not ship with log4j, though it does use it for unit testing, albeit only the -api library, and not the affected -core library. The Keycloak project is continuing to check through their codebase.
Status: Monitoring
Artefact Storage
For this, we use Nexus, who use logback and not log4j, so are not affected by this vulnerability.
Status: Cleared
CI plugins
The majority of our CI plugins are written in Python so are unaffected. Our Jenkins plugin does contain log4j in its dependency tree thanks to the jenkins-core plugin. However, it does not appear that the log4j code is packaged into the plugin. We will upgrade our use of jenkins-core to 2.266 or higher anyway.
Status: Update in due course
Application services
Uleska Java microservices use Spring which, by default, uses logback, which continues to be our default configuration, so the Uleska application microservices are not affected. An SBOM of our services will show log4j libraries, but none of these are the -core affected library.
Status: Cleared
Third-party tools
ZAP
Our ZAP tool communicates with a running instance of ZAP. ZAP is vulnerable to this issue, and needs to be upgraded to version 2.11.1 to prevent exploitation. We have upgraded our cloud instance, and are contacting customers who are ZAP users to prompt them to make this upgrade.
Status: Urgent update needed for on-premise customers
LGTM
Our LGTM tool is written in Java, but uses logback, and not log4j
Status: Cleared
Non-Java tools
The remainder of the Uleska integrated tools are not Java-based, so are unaffected by this issue
Status: Cleared
Please get in touch if you have any concerns about this security issue, or if you'd like our help in tweaking your tool configuration to check for this issue.
