Any impact of log4j security vulnerability?
Answered
As I understand it, TeamCity relies on log4j for logging.
A few days ago, a vulnerability was found in log4j which allows execution of arbitrary code:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
At a first glance, it looks like this vulnerability would have impact on TeamCity. Is there some reason this would not cause issues in TeamCity?
Please sign in to leave a comment.
Hi Martin,
while investigation is still ongoing, our preliminary results indicate that teamcity is not vulnerable since the log4j version we use (1.2) is not under those affected by the issue. From our understanding, most recent versions of the JVM already shut down some of the attack vectors, so the first suggestion would be to ensure you are running a modern JVM: https://www.lunasec.io/docs/blog/log4j-zero-day/
If we find that some of the attack vectors can actually impact teamcity, we will release an urgent bugfix for it, so please stay up to date on upgrading your installation if possible.
Edited to remove the JMS Appender comment. Our current investigation does not show the ability to exploit the vulnerability even when it is added.
That might not be a complete fix https://twitter.com/yazicivo/status/1469393075768373255
It looks like after some testing that perhaps JetBrains Hub via the authentication page may be susceptible to this attack.
We use the latest TeamCity version and grype reports one package is vulnerable:
package: log4j-api current version: 2.11.1 fixed version: 2.15.0 advisory: GHSA-jfh8-c2jp-5v3q level: Critical
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Not sure how this package is actually used, so maybe it's not really affected. Would be great if someone the TC team could confirm.
Thanks,
After further investigation, it seems this plugin is using the log4j version mentioned above:
Search builds plugin installed in <WEB-INF>/plugins/searchBuildByNumber
This is part of the bundled plugins. Would be interesting to understand the side effects of disabling it.
Denis Lapuente if JetBrains has a public statement somewhere, please link it here. Per above, there are some questions about TeamCity. We are also using a JB license server and would like to know about that.
Would also like to see some sort of statement or even a blog post with an accurate analysis of the facts (e.g. i also see log4j-api-2.11.1 in searchBuildByNumber), potential mitigations and some sort of roadmap. Many of us have long lists of potentially vulnerable software and need to assess quickly and simply.
R.e. self-hosted license servers, I see there is a new version that patches this: https://www.jetbrains.com/help/license_server/release_notes.html.
Thanks John Price. I can see that there is a new Build specifically addressing the Log4J vulnerability: Build no. 30211.
The next (obvious) question, I guess (aimed at TC folk) is when will it be possible to install this version via the typical Upgrade process available through the TeamCity Admin console? Is there an ETA here?
An update for those interested in this topic. We have opened up the issue in our tracker with updates on our investigation, which currently confirms teamcity is not vulnerable to the issue. Please refer to it for further developments as our investigation continues: https://youtrack.jetbrains.com/issue/TW-74298
Hi, what about TeamCity plugins? We us TeamCity cloud, does it use any vulnerable plugins, e.g. Octopus Deploy TeamCity plugin that is vulnerable. If that is the case has this been updated to a patched version?
https://advisories.octopus.com/adv/2021-12---Octopus-Deploy-TeamCity-Plugin-log4j2-dependency.2306410241.html
Hello,
We verified that the Octopus Deploy plugin installed currently in TeamCity Cloud (v6.0.2: https://plugins.jetbrains.com/files/9038/108348/Octopus.TeamCity.zip) has no log4j bundled within, so it's not affected by the issue. During December upgrade (coming apx next week) we'll upgrade the plugin version to the latest, which uses fixed log4j version.
Is the latest Team City / Octopus plugin (6.1.8) compatible with TeamCity server version 2018.2.4? We have an older version of the plugin (4.15.10) installed on our TeamCity server and would like to just update to the latest if possible. Appreciate the help
Jdietrich I have spoken to our engineering team and they believe 6.1.8 of the Octopus Plugin should work with 2018.2.4.
If you run into any issues you can contact us at support@octopus.com.
Please advise on the status of this issue. My Security team is now stating that all versions of log4j are vulnerable from version 1.2 to 2.15. Thanks;
Coleen
Kyle Jackson - The upgrade of the plugin (6.1.8) worked with our older TeamCity version (2018.2.4). Appreciate your help.