New CVE-2021-44832 - Remote Code Execution (RCE) for log4j

Champion Level 3

3 years ago

SoapUI 5.6.1 uses log4j 2.16.0 and thus is theoretically vulnerable to CVE-2021-44832. See https://logging.apache.org/log4j/2.x/security.html for more information.

Hoewever, the attacker needs to modify the logging configuration, so you have to decide whether this applies to your situation. By default there is no JDBC Appender in the SoapUI's logging configuration.

Log4j is now under heavy investigation, therefore different vulnerabilities come to light. Please note that SoapUI uses 150 Java libraries, they will have their vulnerabilities as well. Furthermore, SoapUI offers including custom Groovy code, which also can be misused for attacks.

Security needs to be taken more seriously than in the past, that's the main log4shell lesson. On the other hand (almost) every piece of software has its vulnerabilities, so we need to stay calm and think of security. If we want to be 100% secure we have to stop using computers at all. 🙂

Best regards,

Karel

Forum Discussion

New CVE-2021-44832 - Remote Code Execution (RCE) for log4j

Related Content

Command line execution from remote directory

Remote Procedure call failed while executing java functions

Remote Execution for Web picking tablet view while execution in headless mode.

Remote Desktop

Run Remote Browser: Methods supported

Recent Discussions

When You need MyBalanceNow?

Encrypt passwords and master password?

Why Saraf Furniture is the best Choice for Wooden Furniture? Saraf Furniture Reviews

SOAP Request works in SoapUI, but not in C# code

clone TestSuite fails when there are more project with the same name