Apache Log4j2 Remote Code Execution (RCE) Vulnerability

Published on December 14, 2021, by RhodeCode Admin


Summary:


A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed
publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.

RhodeCode product is written in Python, and doesn't use any Apache Log4j components directly.
However RhodeCode uses optionally ElasticSearch to perform full text search.

Based on the information provided from ElasticSearch here
Some version of ElasticSearch are affected because they internally use Log4j

  • RhodeCode uses ElasticSearch 6.X and based on the information when using the latest ES version Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage.

  • RhodeCode use ElasticSearch for full text search, and we only use the API to query the indexed data from ElasticSearch. We use raw query lang to send queries to elasticSearch, and the input is sanitized to be only limited query like.

To our best knowledge this query sanitization together with possibility of use of the non vulnerable ElasticSearch version is not a path to exploit the problem of log4J vulnerability.

RhodeCode Team