Your browser was unable to load all of the resources. They may have been blocked by your firewall, proxy or browser configuration.
Press Ctrl+F5 or Ctrl+Shift+R to have your browser try again.

Upgrade log4j to 2.15.0 to avoid a severe security vulnerability to QuickBuild 10 #4385

tung.nh1 ·

Hi @robinshen.
I see it applied at quickbuild 11.
Please apply it to quickbuild 10.
Thank you.

  • replies 8
  • views 819
  • stars 0
mart ·

How about older version? We are still on version 7. Any chance to get this fix in those older versions?

mart ·

Looks like QB 7 uses log4j 1.x.

@robinshen can you maybe summarise in one article which QB versions are affected by this vulnerability. Thanks a lot.

kienbui1995 ·

QB 7 only uses log4j 1.x does not offer a look-up mechanism. it's too old

robinshen ADMIN ·

That is correct. Only QB10 and QB11 uses log4j2, and the fix is available in latest version of both branch.

stang ·

When we upgraded our QuickBuild server to 10.0.38, we observed that the following files were automatically added to the the useragent folder on the nodes connected to that server:

plugins\com.pmease.quickbuild.bootstrap\lib\log4j-1.2-api-2.16.0.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-api-2.16.0.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-core-2.16.0.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-slf4j-impl-2.16.0.jar

although the following files were still present:

plugins\com.pmease.quickbuild.bootstrap\lib\log4j-1.2-api-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-1.2.15.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-api-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-core-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-slf4j-impl-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\slf4j-log4j12-1.7.2.jar

I assume that this is OK, so long as there are no references to the old version log4j.

I can also see that in

conf\wrapper.conf

there are now multiple classpath entries pointing at the new log4j, for example:

wrapper.java.classpath.26=../plugins/com.pmease.quickbuild.bootstrap/lib/log4j-api-2.16.0.jar
wrapper.java.classpath.27=../plugins/com.pmease.quickbuild.bootstrap/lib/log4j-1.2-api-2.16.0.jar

But in

plugins\com.pmease.quickbuild.bootstrap\META-INF\MANIFEST.MF

there still exists:

Bundle-ClassPath: .,
...
 lib/log4j-1.2.15.jar,

and in

plugins\com.pmease.quickbuild.bootstrap\.classpath

it still contains

<classpathentry exported="true" kind="lib" path="lib/log4j-1.2.15.jar"/>

@robinshen is the vulnerability still present in the nodes if plugins\com.pmease.quickbuild.bootstrap.classpath and plugins\com.pmease.quickbuild.bootstrap\META-INF\MANIFEST.MF still contain references to log4j 2.15?

Would we need to reinstall each node with a fresh download of the useragent from the QB server?

robinshen ADMIN ·

The .classpath and MANIFEST.MF does not matter, they will not be used at runtime. The classpath is specified in "conf/wrapper.conf" which will be updated.

stang ·

Thanks for the clarification about the .classpath and MANIFEST.IMF!

Or company security folks just had a new update saying that Log4j 2.17.1 is now required because a minor DDOS vulnerability was found in 2.16.0.

I can see that the latest QB 11 (quickbuild-11.0.30) contains Log4j 2.17.1, although the latest QB 10 at this time (quickbuild-10.0.40) is on log4j 2.17.0.
@robinshen are there plans to release a new version of QB 10 with log4j 2.17.1 or later?

robinshen ADMIN ·