Gitlab : Emergency Patch Deployment for Apache Log4j

Shivani · December 17, 2021, 12:00pm

On December 9, Apache confirmed a new zero-day vulnerability impacting the Apache Log4j utility. Carrier is executing Emergency Patch Deployment (EPD) for Apache Log4j Zero-day Remote Code Execution (RCE) Vulnerability (CVE-2021-44228). This allows a remote attacker to take control of an affected system. For additional details about this vulnerability, affected versions and solutions, please reference the Apache Logging Services alert.

Carrier suggested to make below changes on or before December 15:

Upgrade all related Apache Log4j2 applications to the latest log4j-2.15.0 version.
Set log4j2.formatMsgNoLookupsto true

Please Suggest if we need any action to take care on Gitlab application.

iwalker · December 17, 2021, 3:18pm

Shivani · December 17, 2021, 4:13pm

@iwalker

We are not using Professional Edition so SAST and Dependency scanning is not there.
Could you please suggest if still any action is required?

iwalker · December 17, 2021, 4:17pm

I’m using Gitlab-CE, and since there are zero java parts or even log4j, then no it’s not affected. You can also scan your server yourself with Nessus or other vulnerability scanners if you wish to be 100% sure. I recommend this anyway as a general rule if you are running your own servers and they are accessible to the internet irrespective of what is installed on them.

Topic		Replies	Views
Apache Log4j Remote Code Execution (RCE) Vulnerability in Gitlab CE DevSecOps docker , security	1	942	December 22, 2021
Cve-2021-4428 DevSecOps	8	22993	December 15, 2021
Actions needed for customers running older versions of SAST and Gemnasium Dependency analyzer DevSecOps security	5	4110	December 18, 2021
Is Gitlab CE affecting CVE-2022-22963 and CVE-2022-22965? DevSecOps	3	1096	April 8, 2022
Giltab Vulnerability to Spring4Shell DevSecOps	4	1666	April 8, 2022

Gitlab : Emergency Patch Deployment for Apache Log4j

Related topics