Skip to content

Is there a log4j vulnerability in utPLSQL-cli? #203

New issue
New issue
Closed
#204
Closed
Is there a log4j vulnerability in utPLSQL-cli?#203
#204
@drumbeg

Description

@drumbeg
drumbeg
opened on Feb 4, 2022 · edited by drumbeg

The lib supplied with the latest release slf4j-api 1.7.26.jar allows a possibility of a log4j attack.

https://www.slf4j.org/log4shell.html

How is this being addressed?

Activity

pesse

pesse commented on Feb 4, 2022

@pesse
pesse
on Feb 4, 2022
Member

Thanks for bringing this up.
Will provide an update as soon as possible.
However, in order to exploit Log4shell here, you'd need access to the database the cli is run against and create a test with a malicious name.
Possible, but very unlikely.

drumbeg

drumbeg commented on Mar 3, 2022

@drumbeg
drumbeg
on Mar 3, 2022
Author

Any update on the log4j issue?

jgebal

jgebal commented on Mar 13, 2022

@jgebal
jgebal
on Mar 13, 2022
Member

How would you see the log4j issue to be exploited in this software?
We will definitely update the log4j library or remove it at some point when working on new features/bugfixes for cli.
I'm not sure however if there is real value in fixing it by itself.

Does it block you in any way at the moment?

pesse
added a commit that references this issue on Jun 9, 2022

Update dependencies

79d69ff
pesse
mentioned this on Jun 9, 2022
pesse
closed this as completedin #204on Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @jgebal@drumbeg@pesse

      Issue actions
        Is there a log4j vulnerability in utPLSQL-cli? · Issue #203 · utPLSQL/utPLSQL-cli