Uleska and Log4Shell

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

Summary

TL;DR: If you are a cloud customer of Uleska, you are not vulnerable to log4shell. If you are an on-premise customer of Uleska and are using OWASP ZAP, you must upgrade your running ZAP instance to at least 2.11.1.

Background

Since the log4shell vulnerability (CVE-2021-44228) was discovered last week, we have been ensuring our cloud platform and those of our on-premise customers are appropriately protected from any issues arising from it.

We are satisfied that the Uleska platform is not affected by this vulnerability.

This post will cover the parts of the Uleska system, including associated tools, that we have checked over during our review.

Authentication

For authentication, whether on-prem or in the cloud, we use Keycloak. Keycloak does not ship with log4j, though it does use it for unit testing, albeit only the -api library, and not the affected -core library. The Keycloak project is continuing to check through their codebase.

Status: Monitoring

Artefact Storage

For this, we use Nexus, who use logback and not log4j, so are not affected by this vulnerability.

Status: Cleared

CI plugins

The majority of our CI plugins are written in Python so are unaffected. Our Jenkins plugin does contain log4j in its dependency tree thanks to the jenkins-core plugin. However, it does not appear that the log4j code is packaged into the plugin. We will upgrade our use of jenkins-core to 2.266 or higher anyway.

Status: Update in due course

Application services

Uleska Java microservices use Spring which, by default, uses logback, which continues to be our default configuration, so the Uleska application microservices are not affected. An SBOM of our services will show log4j libraries, but none of these are the -core affected library.

Status: Cleared

Third-party tools

ZAP

Our ZAP tool communicates with a running instance of ZAP. ZAP is vulnerable to this issue, and needs to be upgraded to version 2.11.1 to prevent exploitation. We have upgraded our cloud instance, and are contacting customers who are ZAP users to prompt them to make this upgrade.

Status: Urgent update needed for on-premise customers

LGTM

Our LGTM tool is written in Java, but uses logback, and not log4j

Status: Cleared

Non-Java tools

The remainder of the Uleska integrated tools are not Java-based, so are unaffected by this issue

Status: Cleared

Please get in touch if you have any concerns about this security issue, or if you'd like our help in tweaking your tool configuration to check for this issue.

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog
Tools

Open Source Security Testing Tools

Security tools are an essential part of software development today, especially with the ever-increasing number of attacks we see every year....

Security

Security Orchestration Automation and Response (SOAR)

Security teams frequently struggle with the volume of alerts and issues they are tasked with daily. On average, most enterprises receive between...

Security

Secure Software Development Life Cycle

Software development has evolved into an incredibly complex machine, with several moving parts to keep track of. Teams get more extensive, and...

Security

Application Security Orchestration & Correlation

Application Security is a constantly evolving industry, with new threats and methods to combat them appearing regularly. One of the more recent...

Collaboration

Top 5 AppSec Productivity Hacks 2022

The application security (AppSec) industry moves fast. Development, security and operations (DevSecOps) practitioners are having to find creative...

Tools

How to improve security tool selection and customisation with Uleska Toolkits

We know starting your application security (AppSec) journey can be a little overwhelming. After all, choosing your tools from scratch and setting...

Application Security

What is Application Security? A Beginner’s Guide

What is Application Security? Application Security is defined by developing, adding, and testing security features in an application or website....

Security

Vulnerability Assessments in Application Security

Did you know that over 79% of developers surveyed in 2020 stated their applications had 20 or more vulnerabilities on average? As the digital world...

Security

Defining and breaking down Vulnerability Management

No system is perfectly secure, as proven by software analysis firm CAST, which reviewed 278 million lines of code and discovered more than 1.3...

Company News, Featured

Toolkits: Taking the guesswork out of security tool selection and customisation

There are thousands of amazing AppSec tools out there, but this can be both a blessing and a curse. While the headway and innovation we are seeing...

DevSecOps

How to eliminate risk when scaling application security

Building robust application security is a lot like building a house—you want it done thoroughly, without any missing parts. However, there is a...

Security

What is the OWASP Top 10 and how to use it?

Cybersecurity has been a rising concern in the last decade. In 2021, researchers have seen 50% more attacks per week on corporate networks compared...

Security

What is Shift Left? Ultimate Guide to Shift Left Security

With today’s fast development speeds, it’s hard to keep up with security practices for some organisations. This is especially true in the last few...

Security

What is Software Composition Analysis?

Open-source software has become a vital part of development in the last decade. However, utilising these components often comes with several caveats,...

DevSecOps

DevSecOps tool examples that will alleviate your workload

The saying goes: “Many hands make light work.” Nowhere is this more apparent than in DevSecOps where developers and releases outnumber security...