MettleCI Product Security Advisory - Log4j Vulnerable To Remote Code Execution - CVE-2021-44228
Summary | CVE-2021-44228 - Log4j vulnerable to remote code execution |
|---|---|
Original Advisory Release Date | 20 Dec 2021 09:00 UTC (Coordinated Universal Time, +0 hours) |
CVE ID |
As of this advisory, Data Migrators has learned:
No MettleCI components are vulnerable to CVE-2021-44228
Some MettleCI components included an unused log4j-core component which has been removed in the latest update to those components (see below for details).
Read the “Impact On…” sections below to determine if you are affected, and how to protect affected installations.
Summary of Vulnerability
The following sources provide descriptions of the vulnerability at various levels of technical detail.
A summary from the maintainers of the Simple Logging Facade for Java project (AKA SLF4J, as used by MettleCI): http://www.slf4j.org/log4shell.html
A summary from open source data security solution providers LunaSec: https://www.lunasec.io/docs/blog/log4j-zero-day/
Impact On IBM OEM-Licensed Releases
In a number of MettleCI components, we use Log4j but mostly an older version that is required for compatibility with some of the build tools that our software supports (e.g. Atlassian Bamboo) and is unaffected by the CVE.
Component | Versions Assessed | CVE-2021-44228 Exposure | Remediation Actions |
|---|---|---|---|
Workbench | 1.0-1363 | Not exposed. Doesn’t use Log4j. | None required |
Unit Test Harness | 1.0-344 | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
CLI (AKA Command Shell) | 1.1-123 | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
CLI Plugins (see exceptions below) | Multiple | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
Transmuter CLI Plugin | 1.0-29 | Not exposed. Contains the vulnerable Log4j classes but they are never loaded during execution. | Removed vulnerable log4j classes. End-user mitigation actions aren’t required in lieu of deploying the up-coming CVE-focused release of this plug-in to IBM Fix Central. Note: this is only for customers whose MettleCI entitlement is via IBM and who acquire their MettleCI software from IBM, via Passport Advantage / Fix Central. |
Bamboo Native Plugins | As per CLI Plugins above. | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
Impact On DM Directly-Licensed Releases
In a number of MettleCI components, we use Log4j but mostly an older version that is required for compatibility with some of the build tools that our software supports (e.g. Atlassian Bamboo) and is unaffected by the CVE.
Component | Versions Assessed | CVE-2021-44228 Exposure | Remediation Actions |
|---|---|---|---|
Workbench | 1.0-1363 | Not exposed. Doesn’t use Log4j. | None required |
Unit Test Harness | 1.0-344 | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
CLI (AKA Command Shell) | 1.1-123 | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
CLI Plugins (see exceptions below) | Multiple | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
Transmuter CLI Plugin | 1.0-29 | Not exposed. Contains the vulnerable Log4j classes but they are never loaded during execution. | Removed vulnerable Log4j classes. End-user mitigation actions aren’t required in lieu of deploying the up-coming CVE-focused release of this plug-in to Note: This is only for customers whose MettleCI software entitlement comes directly from Data Migrators or via IBM Expert Labs. |
Bamboo Native Plugins | As per CLI Plugins above. | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | None required. |
MettleCI Software Publication Systems
The back end to our non-OEM software distribution site has components that run on AWS Lambda and contained a Log4j version vulnerable to the CVE. This has been patched to address the CVE and no evidence of exploit prior to this action was detected.
MettleCI Software Build Systems
Data Migrators have scanned the build server for MettleCI for Log4j instances, including the tools that automatically build, test and release our software. On top of any supplier-specific mitigations we have applied a whole-of-server mitigation.
System | Supplier | Supplier’s CVE Advisory (External URL) | DM Remediation Actions |
|---|---|---|---|
Bitbucket Cloud | Atlassian | None required. As with all SaaS tenants, we rely on the supplier’s mitigation. | |
Jira Cloud | Atlassian | None required. As with all SaaS tenants, we rely on the supplier’s mitigation. | |
Bamboo | Atlassian | Not exposed. Log4j 1.2.17 used but this version pre-dates the presence of the CVE-triggering feature. | |
SonarQube | SonarSource S.A. | ElasticSearch exposed. Applied supplier’s recommended CVE mitigation. | |
Artifactory | Jfrog | None required. No exposure to CVE. |
© 2015-2024 Data Migrators Pty Ltd.