Hi AnuragJaiswal ,
besides what richie advised, you can also:
Migrate to SoapUI 5.7.0: this version has been released as a reaction to Log4j vulnerability (contains Log4j version 2.17.1). Here you may face some compatibility issues, e.g. in treating JSONPath, as you can find in some other threads.
Stay with your old version of SoapUI: check the version of Log4j in your SoapUI/lib directory. I assume it will be some 1.x version which does not include the Log4Shell vulnerability. Please note this version may have its own vulnerabilities.
I chose to upgrade to version 5.7.0.
Best regards,
Karel
We upgraded to 5.7 however our scans are still flagging a security issue with LOG4J. I thought 5.7 would have corrected this...Any advice?
Path : C:\Program Files\SmartBear\SoapUI-5.7.0\hermesJMS\lib\log4j-1.2.15.jar
Installed version : 1.2.15
Hi KeithT ,
Hermes JMS is not supported by SoapUI since 5.6.0, however there's still an option to install it.
If you install SoapUI 5.7.0 without Hermes, there will be no hermesJMS directory and its obsolete log4j library.
For more on HermesJMS see https://community.smartbear.com/t5/SoapUI-Open-Source-Questions/Is-Hermes-gone/m-p/225651 .
Best regards,
Karel
Thanks Karel! That is what we found yesterday while troubleshooting and removing the component is the path we are taking. So since it's unsupported there is no plan for a fix specific to the HermesJMS component correct?
KeithT ,
maybe this thread could give you an answer: https://community.smartbear.com/t5/SoapUI-Open-Source-Questions/SoapUI-Open-Source-future/m-p/222292 ?
Best regards,
Karel
