New CVE-2021-44832 - Remote Code Execution (RCE) for log4j

Question

On December 28th a new vulnerability was found in log4j 2.17.0.&nbsp; Is SoapUI 5.6.1 impacted by this vulnerability?

karelhusa · Answer

Hi&nbsp;hornunsm&nbsp;,SoapUI 5.6.1 uses log4j 2.16.0 and thus is theoretically vulnerable to&nbsp;CVE-2021-44832. See&nbsp;https://logging.apache.org/log4j/2.x/security.html&nbsp;for more information.&nbsp;Hoewever, the attacker needs to modify the logging configuration, so you have to decide whether this applies to your situation. By default there is no&nbsp;JDBC Appender&nbsp;in the SoapUI's logging configuration.&nbsp;Log4j is now under heavy investigation, therefore different vulnerabilities come to light. Please note that SoapUI uses 150 Java libraries, they will have their vulnerabilities as well. Furthermore, SoapUI offers including custom Groovy code, which also can be misused for attacks.&nbsp;&nbsp;Security needs to be taken more seriously than in the past, that's the main log4shell lesson. On the other hand (almost) every piece of software has its vulnerabilities, so we need to stay calm and think of security. If we want to be 100% secure we have to stop using computers at all. 🙂&nbsp;Best regards,Karel&nbsp;

Forum Discussion

New CVE-2021-44832 - Remote Code Execution (RCE) for log4j

1 Reply

Related Content

Command line execution from remote directory

Remote Procedure call failed while executing java functions

Remote Execution for Web picking tablet view while execution in headless mode.

Remote Desktop

Run Remote Browser: Methods supported

Recent Discussions

Encrypt passwords and master password?

SOAP Request works in SoapUI, but not in C# code

clone TestSuite fails when there are more project with the same name

Will SOAP UI 5.6.1 work with JDK 8

How to configure Swagger in Paas to use it in Oracle APEX instance.