Gitlab : Emergency Patch Deployment for Apache Log4j

On December 9, Apache confirmed a new zero-day vulnerability impacting the Apache Log4j utility. Carrier is executing Emergency Patch Deployment (EPD) for Apache Log4j Zero-day Remote Code Execution (RCE) Vulnerability (CVE-2021-44228). This allows a remote attacker to take control of an affected system. For additional details about this vulnerability, affected versions and solutions, please reference the Apache Logging Services alert.

Carrier suggested to make below changes on or before December 15:

  1. Upgrade all related Apache Log4j2 applications to the latest log4j-2.15.0 version.
  2. Set log4j2.formatMsgNoLookupsto true

Please Suggest if we need any action to take care on Gitlab application.



We are not using Professional Edition so SAST and Dependency scanning is not there.
Could you please suggest if still any action is required?

I’m using Gitlab-CE, and since there are zero java parts or even log4j, then no it’s not affected. You can also scan your server yourself with Nessus or other vulnerability scanners if you wish to be 100% sure. I recommend this anyway as a general rule if you are running your own servers and they are accessible to the internet irrespective of what is installed on them.