Resources
Resources

Uleska and Log4Shell

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

Summary

TL;DR: If you are a cloud customer of Uleska, you are not vulnerable to log4shell. If you are an on-premise customer of Uleska and are using OWASP ZAP, you must upgrade your running ZAP instance to at least 2.11.1.

Background

Since the log4shell vulnerability (CVE-2021-44228) was discovered last week, we have been ensuring our cloud platform and those of our on-premise customers are appropriately protected from any issues arising from it.

We are satisfied that the Uleska platform is not affected by this vulnerability.

This post will cover the parts of the Uleska system, including associated tools, that we have checked over during our review.

Authentication

For authentication, whether on-prem or in the cloud, we use Keycloak. Keycloak does not ship with log4j, though it does use it for unit testing, albeit only the -api library, and not the affected -core library. The Keycloak project is continuing to check through their codebase.

Status: Monitoring

Artefact Storage

For this, we use Nexus, who use logback and not log4j, so are not affected by this vulnerability.

Status: Cleared

CI plugins

The majority of our CI plugins are written in Python so are unaffected. Our Jenkins plugin does contain log4j in its dependency tree thanks to the jenkins-core plugin. However, it does not appear that the log4j code is packaged into the plugin. We will upgrade our use of jenkins-core to 2.266 or higher anyway.

Status: Update in due course

Application services

Uleska Java microservices use Spring which, by default, uses logback, which continues to be our default configuration, so the Uleska application microservices are not affected. An SBOM of our services will show log4j libraries, but none of these are the -core affected library.

Status: Cleared

Third-party tools

ZAP

Our ZAP tool communicates with a running instance of ZAP. ZAP is vulnerable to this issue, and needs to be upgraded to version 2.11.1 to prevent exploitation. We have upgraded our cloud instance, and are contacting customers who are ZAP users to prompt them to make this upgrade.

Status: Urgent update needed for on-premise customers

LGTM

Our LGTM tool is written in Java, but uses logback, and not log4j

Status: Cleared

Non-Java tools

The remainder of the Uleska integrated tools are not Java-based, so are unaffected by this issue

Status: Cleared

Please get in touch if you have any concerns about this security issue, or if you'd like our help in tweaking your tool configuration to check for this issue.

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog
DevSecOps

DevSecOps tool examples that will alleviate your workload

Nowhere is this more apparent than in DevSecOps where developers and releases outnumber security experts by thousands to one. It’s simply not...

DevSecOps

What is CI/CD? A Complete Guide to CI/CD

Software development cycles have changed immensely in the last ten years. New practices and design philosophies are being tried every day. One of...

Tools

How to source the right tools to scale an AppSec programme

Everyone’s development is different, it stands to reason everyone’s perfect security toolkit will also be different. But finding the right tools to...

Security

What is Penetration Testing (Pen Testing)?

Penetration testing (also known as pen testing) is the process of checking if your infrastructure and applications are robust enough to protect...

Tools

What is Dynamic Application Security Testing (DAST)?

DAST, meaning Dynamic Application Security Testing, is a form of black-box security testing. It simulates external attacks on a live application,...

DevSecOps

Ultimate Guide to DevSecOps

What is DevSecOps?  DevSecOps meaning (Development, Security, and Operations) primarily aims to automate security in each part of the software...

Tools

The Top Application Security Tools in 2021

In modern businesses, applications have assumed a pivotal role. And while applications help with operational processes, the majority of cyber-attacks...

Tools

The Ultimate Guide to Application Security Tools

With the emergence of new software security threats, businesses need robust, flexible and affordable methods to ensure their applications are...

Tools

Introducing the DevSecOps Toolkit: A guide to scaling an AppSec programme

Imagine you’ve been asked to build a house from scratch. You don’t have any tools. You don’t have any experience. In fact, all you have is an empty...

Tools

What is Static Application Security Testing (SAST) and how does it work?

What is SAST? Static Application Security Testing (SAST), or static analysis, is a method of testing and analysing source code. This method allows...

Tools, Featured

Choosing the Best AppSec Tools: Advice from Experienced Engineers

In our latest webinar Gary Robinson and Martin Hewitt from Uleska gave us a fascinating and comprehensive look into how experienced security teams...

Managing Risk

How to Use Risk Based Security Testing [With Video]

Last week we discussed how using risk-based decisions can help speed up pipelines. You can watch the webinar on demand and read a summary of the...

DevSecOps

Can DevSecOps Tools Open Security Testing To Everyone?

At Uleska, we focus on moving security testing away from experts running manual tests and move it to automating security checks into existing...

Company News

Start your DevSecOps journey with the Uleska free plan

Companies are developing and shipping software faster than ever before. The very nature of DevOps means that developers can work in an always-on...

DevSecOps

DevSecOps Challenge #10: Communication between teams

Adding automation to one part of a process can then flood another part of a process. With DevSecOps, we’re allowing more security tools to find more...