I have installed SoapUI 5.6.0 and it does have "log4j-1.2.14.jar" file present at SmartBear\SoapUI-5.6.0\lib location. Does this file have vulnerability? Log4J file < 2.15 is vulnerable. So, Can you share if there is any patch or fix for the same or if there is any new version available to install which does not have this vulnerability? Thanks, Jazzy

Hi, We were said that there will be an updated release of SoapUI OS in the coming days. Please see this pull request https://github.com/SmartBear/soapui/tree/release-5.6.1 for more details.

Jazzy

Occasional Visitor

3 years ago

Does SoapUI 5.6.0 has log4j vulnerability?

I have installed SoapUI 5.6.0 and it does have "log4j-1.2.14.jar" file present at SmartBear\SoapUI-5.6.0\lib location.

Does this file have vulnerability? Log4J file < 2.15 is vulnerable. So, Can you share if there is any patch or fix for the same or if there is any new version available to install which does not have this vulnerability?

Thanks,

Jazzy

SOAP

TanyaYatskovska
3 years ago
Hi,

We were said that there will be an updated release of SoapUI OS in the coming days. Please see this pull request https://github.com/SmartBear/soapui/tree/release-5.6.1 for more details.

TanyaYatskovska
SmartBear Alumni (Retired)
3 years ago
Hi,

We were said that there will be an updated release of SoapUI OS in the coming days. Please see this pull request https://github.com/SmartBear/soapui/tree/release-5.6.1 for more details.
- techguy24
  Occasional Visitor
  3 years ago
  I see the new update was released. However, it contains 2.16 which is not secure either. Will 2.17 be released soon?
  - TanyaYatskovska
    SmartBear Alumni (Retired)
    3 years ago
    Hi,
    
    SmartBear is closely monitoring and analyzing Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Please follow this page for more information:
    
    https://smartbear.com/security/cve-2021-44228/
KarelHusa
Champion Level 1
3 years ago
The log4j versions 1.x are not affected by CVE-2021-44228 vulnerability.
See https://logging.apache.org/log4j/2.x/security.html for more information.

Best regards,
Karel
- saravana_s1972
  New Contributor
  3 years ago
  When is Smarbear intend to release a version for log4j 2.16 vulnerability
  - TanyaYatskovska
    SmartBear Alumni (Retired)
    3 years ago
    Hi saravana_s1972,
    
    I see that our developers are working on v.5.7.0 where this issue will be fixed.
john123marshal
Occasional Visitor
3 years ago
JFrog's security research team looked into this claim and concluded that log4j-api (by itself) is not vulnerable. This is due to the lack of JndiLookup functionality, and can be easily seen by trying to trigger the vulnerable code