Is SoapUI affected by Log4j Vulnerability? If yes, what are the actions required for permanent fix?

Hey AnuragJaiswal 

Yes any software that runs log4j was open to the security issue reported just before Xmas.

I know there was another user on here who's Security Guys wanted the company he worked for to stop using SoapUI/ReadyAPI until an alternative to log4j was found (I think because a couple of weeks after the critical flaw was found, I think on 29th Dec a further high priority flaw was found) - however software is always gonna have flaws - unless you're completely air gapped - there's always a risk.

I can only tell you what my company did with their ReadyAPI instances - they just swapped out all the existing log4j files and replaced them with v2.17 files.  I believe v2.16 was produced to fix the critical flaw and v2.17 was released to handle the flaw published on 29th December.

SoapUI changes can be pretty slow sometimes.  There's nothing wrong with you overwriting the existing log4j files with the v2.17 ones.

That's what we've done across the company I work for.

Cheers,

Rich

Hi AnuragJaiswal ,

besides what richie advised, you can also:

Migrate to SoapUI 5.7.0: this version has been released as a reaction to Log4j vulnerability (contains Log4j version 2.17.1). Here you may face some compatibility issues, e.g. in treating JSONPath, as you can find in some other threads.

Stay with your old version of SoapUI: check the version of Log4j in your SoapUI/lib directory. I assume it will be some 1.x version which does not include the Log4Shell vulnerability. Please note this version may have its own vulnerabilities. 

I chose to upgrade to version 5.7.0.

Best regards,

Karel