TL;DR: If you are a cloud customer of Uleska, you are not vulnerable to
log4shell. If you are an on-premise customer of Uleska and are using OWASP ZAP, you must upgrade your running ZAP instance to at least 2.11.1.
Since the log4shell vulnerability (CVE-2021-44228) was discovered last week, we have been ensuring our cloud platform and those of our on-premise customers are appropriately protected from any issues arising from it.
This post will cover the parts of the Uleska system, including associated tools, that we have checked over during our review.
For authentication, whether on-prem or in the cloud, we use Keycloak. Keycloak does not ship with
log4j, though it does use it for unit testing, albeit only the
-api library, and not the affected
-core library. The Keycloak project is continuing to check through their codebase.
For this, we use Nexus, who use logback and not
log4j, so are not affected by this vulnerability.
The majority of our CI plugins are written in Python so are unaffected. Our Jenkins plugin does contain
log4j in its dependency tree thanks to the
jenkins-core plugin. However, it does not appear that the
log4j code is packaged into the plugin. We will upgrade our use of
2.266 or higher anyway.
Status: Update in due course
Uleska Java microservices use Spring which, by default, uses
logback, which continues to be our default configuration, so the Uleska application microservices are not affected. An SBOM of our services will show
log4j libraries, but none of these are the
-core affected library.
Our ZAP tool communicates with a running instance of ZAP. ZAP is vulnerable to this issue, and needs to be upgraded to version 2.11.1 to prevent exploitation. We have upgraded our cloud instance, and are contacting customers who are ZAP users to prompt them to make this upgrade.
Status: Urgent update needed for on-premise customers
Our LGTM tool is written in Java, but uses
logback, and not
The remainder of the Uleska integrated tools are not Java-based, so are unaffected by this issue
Please get in touch if you have any concerns about this security issue, or if you'd like our help in tweaking your tool configuration to check for this issue.
You may unsubscribe at any time using the unsubscribe link in the newsletter.