Any impact of log4j security vulnerability?

Answered

As I understand it, TeamCity relies on log4j for logging.

A few days ago, a vulnerability was found in log4j which allows execution of arbitrary code:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

At a first glance, it looks like this vulnerability would have impact on TeamCity. Is there some reason this would not cause issues in TeamCity?

16 comments
Comment actions Permalink

Hi Martin,

 

while investigation is still ongoing, our preliminary results indicate that teamcity is not vulnerable since the log4j version we use (1.2) is not under those affected by the issue. From our understanding, most recent versions of the JVM already shut down some of the attack vectors, so the first suggestion would be to ensure you are running a modern JVM: https://www.lunasec.io/docs/blog/log4j-zero-day/

 

If we find that some of the attack vectors can actually impact teamcity, we will release an urgent bugfix for it, so please stay up to date on upgrading your installation if possible.

 

Edited to remove the JMS Appender comment. Our current investigation does not show the ability to exploit the vulnerability even when it is added.

0
Comment actions Permalink

It looks like after some testing that perhaps JetBrains Hub via the authentication page may be susceptible to this attack.

0
Comment actions Permalink

We use the latest TeamCity version and grype reports one package is vulnerable:

package: log4j-api current version: 2.11.1 fixed version: 2.15.0 advisory: GHSA-jfh8-c2jp-5v3q level: Critical

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

 

Not sure how this package is actually used, so maybe it's not really affected. Would be great if someone the TC team could confirm.

 

Thanks,

0
Comment actions Permalink

After further investigation, it seems this plugin is using the log4j version mentioned above:

Search builds plugin installed in <WEB-INF>/plugins/searchBuildByNumber

This is part of the bundled plugins. Would be interesting to understand the side effects of disabling it.

0
Comment actions Permalink

Denis Lapuente if JetBrains has a public statement somewhere, please link it here.  Per above, there are some questions about TeamCity.  We are also using a JB license server and would like to know about that.

0
Comment actions Permalink

Would also like to see some sort of statement or even a blog post with an accurate analysis of the facts (e.g. i also see log4j-api-2.11.1 in searchBuildByNumber), potential mitigations and some sort of roadmap. Many of us have long lists of potentially vulnerable software and need to assess quickly and simply.

0
Comment actions Permalink

R.e. self-hosted license servers, I see there is a new version that patches this:  https://www.jetbrains.com/help/license_server/release_notes.html.

0
Comment actions Permalink

Thanks John Price. I can see that there is a new Build specifically addressing the Log4J vulnerability: Build no. 30211.

The next (obvious) question, I guess (aimed at TC folk) is when will it be possible to install this version via the typical Upgrade process available through the TeamCity Admin console? Is there an ETA here?

0
Comment actions Permalink

An update for those interested in this topic. We have opened up the issue in our tracker with updates on our investigation, which currently confirms teamcity is not vulnerable to the issue. Please refer to it for further developments as our investigation continues: https://youtrack.jetbrains.com/issue/TW-74298

0
Comment actions Permalink

Hi, what about TeamCity plugins? We us TeamCity cloud, does it use any vulnerable plugins, e.g. Octopus Deploy TeamCity plugin that is vulnerable. If that is the case has this been updated to a patched version? 
https://advisories.octopus.com/adv/2021-12---Octopus-Deploy-TeamCity-Plugin-log4j2-dependency.2306410241.html

0
Comment actions Permalink

Hello,

We verified that the Octopus Deploy plugin installed currently in TeamCity Cloud (v6.0.2: https://plugins.jetbrains.com/files/9038/108348/Octopus.TeamCity.zip) has no log4j bundled within, so it's not affected by the issue. During December upgrade (coming apx next week) we'll upgrade the plugin version to the latest, which uses fixed log4j version.

0
Comment actions Permalink

Is the latest Team City / Octopus plugin (6.1.8) compatible with TeamCity server version 2018.2.4? We have an older version of the plugin (4.15.10) installed on our TeamCity server and would like to just update to the latest if possible. Appreciate the help

0
Comment actions Permalink

Jdietrich I have spoken to our engineering team and they believe 6.1.8 of the Octopus Plugin should work with 2018.2.4. 

If you run into any issues you can contact us at support@octopus.com.

0
Comment actions Permalink

Please advise on the status of this issue. My Security team is now stating that all versions of log4j are vulnerable from version 1.2 to 2.15.  Thanks;

 

Coleen

0
Comment actions Permalink

Kyle Jackson - The upgrade of the plugin (6.1.8) worked with our older TeamCity version (2018.2.4). Appreciate your help.

0

Please sign in to leave a comment.