Apache Log4j Remote Code Execution (RCE) Vulnerability in Gitlab CE

tpatil30 · December 22, 2021, 8:56am

Hi,

I am using Gitlab Community verison 14.4.2 in a docker container.
My Gitlab instance is not exposed to internet.
I wanted to know is Gitlab CE affected by the Apache Log4j Remote Code Execution (RCE) Vulnerability?
I am not using any SAST or Dependency Scanning analyzers.
I was following this article Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab | GitLab but didnt find the answers i was looking for.

What actions do i need to take?
Do i need to update Gitlab to its latest version?
Or Gitlab CE 14.4.2 is not affected by this vulnerability?

Please suggest

Thank you.

iwalker · December 22, 2021, 9:04am

Hi, search the forums. There has already been posts on it. Open the search tool, put log4j and read the posts. It saves people repeating themselves

But in short, Gitlab doesn’t use it. But if you are using the security scanner, sast, etc, then you will need to do things as per the post you linked. All the info is in the link you posted, especially if you click the links related to sast.

Topic		Replies	Views
Gitlab : Emergency Patch Deployment for Apache Log4j DevSecOps	3	2863	December 17, 2021
Cve-2021-4428 DevSecOps	8	22995	December 15, 2021
Actions needed for customers running older versions of SAST and Gemnasium Dependency analyzer DevSecOps security	5	4113	December 18, 2021
Is Gitlab CE affecting CVE-2022-22963 and CVE-2022-22965? DevSecOps	3	1098	April 8, 2022
Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963 Community	0	311	April 7, 2022

Apache Log4j Remote Code Execution (RCE) Vulnerability in Gitlab CE

Related topics