While I believe this is true, can we confirm that Gitlab is not vulnerable to the log4j CVE-2021-4428 vulnerability?
As far as I am aware, Gitlab doesn’t use log4j. According to here: Log system | GitLab logging is done with svlogd and doesn’t mention anything about log4j.
Thanks @iwalker . We are looking for a vendor statement on this and haven’t seen anything from GitLab yet. If anyone finds one on Twitter or elsewhere, please share it.
Gitlab aren’t going to make an announcement about it when their product doesn’t contain log4j in the first place. That’s like asking them to make an announcement for every single potential piece of software that isn’t in their application - like Apache Web Server when they use Nginx. It just isn’t going to happen, they have far more important things to concentrate on - like the software that they actually include. They are only going to make announcements for the software that they use. You can even check yourself if you really want to find out if a product is vulnerable or not - use Nessus or other vulnerability scanning software and make your own analysis.
You can expect them to make announcements about software that they include in their product. So good luck on expecting them to waste their time having to announce for every other piece of software that their product doesn’t use.
I completely disagree @iwalker. As Gitlab also offers payed products, they should make a small blogpost saying their products are not impacted - now we are left a bit in the dark and have to search for it yourself.
I agree they cannot respond to every CVE and say we are not impacted. But this impacts many products globally on a scale similar to heartbleed. Many companies do it - even if they are not impacted. Seems pure laziness from Gitlab to me.
Why should they? It doesn’t include log4j. They only need to make announcements for packages that their product includes. If Gitlab included log4j then of course they would announce it. But since it doesn’t they don’t have to.
thanks for asking. Sharing an update below.
Edit: Follow Cve-2021-4428 - #9 by gitlab-greg for the most recent update.
@iwalker: It is called customer service. Do you want to let your customers in fear and uncertainty? No. For big security problems that have a very huge impact like heartbleed or log4j, it is a service to the customers to tell them that the product is safe, because it doesn’t use log4j. It even helps the company, because customers don’t start to speculate if the product is vulnerable or not.
We’ve just published a blog post detailing the actions we’ve taken in response to the remote code execution Log4j vulnerabilities (CVE-2021-44228) and (CVE-2021-45046) at Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab | GitLab.