Ask a Question

Is SoapUI affected by Log4j Vulnerability? If yes, what are the actions required for permanent fix?

AnuragJaiswal
New Contributor

Is SoapUI affected by Log4j Vulnerability? If yes, what are the actions required for permanent fix?

Hi Team,

 

I am Anurag from CBA. We are performing vulnerability remediation for all the software we are using and we are reaching out to the corresponding vendors to understand what sort of actions we need to take in order to remediate the Log4j vulnerability from each and every service which are using Log4j.

 

We come across that SoapUI tool is also one of those software.

 

Could you please provide us detailed information of the activities we need to take? Please find the software details we have in our servers:

SoapUI Version - 5.2.1

Build date: 20151002-1138

 

AnuragJaiswal_0-1642979075976.png

Appreciate your response.

 

Thanks

Anurag Jaiswal

Email: Anurag.Jaiswal@cba.com.au 

10 REPLIES 10
richie
Community Hero

Hey @AnuragJaiswal 

 

Yes any software that runs log4j was open to the security issue reported just before Xmas.

 

I know there was another user on here who's Security Guys wanted the company he worked for to stop using SoapUI/ReadyAPI until an alternative to log4j was found (I think because a couple of weeks after the critical flaw was found, I think on 29th Dec a further high priority flaw was found) - however software is always gonna have flaws - unless you're completely air gapped - there's always a risk.

 

I can only tell you what my company did with their ReadyAPI instances - they just swapped out all the existing log4j files and replaced them with v2.17 files.  I believe v2.16 was produced to fix the critical flaw and v2.17 was released to handle the flaw published on 29th December.

 

SoapUI changes can be pretty slow sometimes.  There's nothing wrong with you overwriting the existing log4j files with the v2.17 ones.

 

That's what we've done across the company I work for.

 

Cheers,

 

Rich

if this helped answer the post, could you please mark it as 'solved'? Also if you consider whether the title of your post is relevant? Perhaps if the post is solved, it might make sense to update the Subject header field of the post to something more descriptive? This will help people when searching for problems. Ta

Thanks @richie for your response.

How and where can I get the version 2.17 of Log4j for SoapUI? Do you have a reference link that you can provide?

Highly appreciate your response.

Thanks

Anurag Jaiswal

KarelHusa
Regular Contributor

Hi @AnuragJaiswal ,

besides what @richie advised, you can also:

 

Migrate to SoapUI 5.7.0: this version has been released as a reaction to Log4j vulnerability (contains Log4j version 2.17.1). Here you may face some compatibility issues, e.g. in treating JSONPath, as you can find in some other threads.

 

Stay with your old version of SoapUI: check the version of Log4j in your SoapUI/lib directory. I assume it will be some 1.x version which does not include the Log4Shell vulnerability. Please note this version may have its own vulnerabilities. 

 

I chose to upgrade to version 5.7.0.

 

Best regards,

Karel

 

Thanks @KarelHusa. That is helpful.

I will check with the team on the compatibility limitations and how it will affect the BAU. 

Thanks again.

Regards

Anurag

KeithT
Occasional Contributor

We upgraded to 5.7 however our scans are still flagging a security issue with LOG4J.  I thought 5.7 would have corrected this...Any advice? 

 

Path : C:\Program Files\SmartBear\SoapUI-5.7.0\hermesJMS\lib\log4j-1.2.15.jar

Installed version : 1.2.15

KarelHusa
Regular Contributor

Hi @KeithT ,

Hermes JMS is not supported by SoapUI since 5.6.0, however there's still an option to install it.

 

If you install SoapUI 5.7.0 without Hermes,  there will be no hermesJMS directory and its obsolete log4j library.

 

For more on HermesJMS see https://community.smartbear.com/t5/SoapUI-Open-Source-Questions/Is-Hermes-gone/m-p/225651 .

 

Best regards,

Karel

 

KeithT
Occasional Contributor

Thanks Karel!  That is what we found yesterday while troubleshooting and removing the component is the path we are taking.  So since it's unsupported there is no plan for a fix specific to the HermesJMS component correct? 

KarelHusa
Regular Contributor

@KeithT , 

maybe this thread could give you an answer: https://community.smartbear.com/t5/SoapUI-Open-Source-Questions/SoapUI-Open-Source-future/m-p/222292 ?

 

Best regards,

Karel

 

KeithT
Occasional Contributor

Thanks! 

cancel
Showing results for 
Search instead for 
Did you mean: