Hi @robinshen.
I see it applied at quickbuild 11.
Please apply it to quickbuild 10.
Thank you.
Looks like QB 7 uses log4j 1.x.
@robinshen can you maybe summarise in one article which QB versions are affected by this vulnerability. Thanks a lot.
That is correct. Only QB10 and QB11 uses log4j2, and the fix is available in latest version of both branch.
When we upgraded our QuickBuild server to 10.0.38, we observed that the following files were automatically added to the the useragent folder on the nodes connected to that server:
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-1.2-api-2.16.0.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-api-2.16.0.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-core-2.16.0.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-slf4j-impl-2.16.0.jar
although the following files were still present:
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-1.2-api-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-1.2.15.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-api-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-core-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\log4j-slf4j-impl-2.13.1.jar
plugins\com.pmease.quickbuild.bootstrap\lib\slf4j-log4j12-1.7.2.jar
I assume that this is OK, so long as there are no references to the old version log4j.
I can also see that in
conf\wrapper.conf
there are now multiple classpath entries pointing at the new log4j, for example:
wrapper.java.classpath.26=../plugins/com.pmease.quickbuild.bootstrap/lib/log4j-api-2.16.0.jar
wrapper.java.classpath.27=../plugins/com.pmease.quickbuild.bootstrap/lib/log4j-1.2-api-2.16.0.jar
But in
plugins\com.pmease.quickbuild.bootstrap\META-INF\MANIFEST.MF
there still exists:
Bundle-ClassPath: .,
...
lib/log4j-1.2.15.jar,
and in
plugins\com.pmease.quickbuild.bootstrap\.classpath
it still contains
<classpathentry exported="true" kind="lib" path="lib/log4j-1.2.15.jar"/>
@robinshen is the vulnerability still present in the nodes if plugins\com.pmease.quickbuild.bootstrap.classpath and plugins\com.pmease.quickbuild.bootstrap\META-INF\MANIFEST.MF still contain references to log4j 2.15?
Would we need to reinstall each node with a fresh download of the useragent from the QB server?
The .classpath and MANIFEST.MF does not matter, they will not be used at runtime. The classpath is specified in "conf/wrapper.conf" which will be updated.
Thanks for the clarification about the .classpath and MANIFEST.IMF!
Or company security folks just had a new update saying that Log4j 2.17.1 is now required because a minor DDOS vulnerability was found in 2.16.0.
I can see that the latest QB 11 (quickbuild-11.0.30) contains Log4j 2.17.1, although the latest QB 10 at this time (quickbuild-10.0.40) is on log4j 2.17.0.
@robinshen are there plans to release a new version of QB 10 with log4j 2.17.1 or later?
Please upgrade to 10.0.41 which uses log4j 2.17.1: