Log4j, Log4Shell, LogJam – All you need to know
Recently, the Log4Shell or LogJam vulnerability in the Apache Log4j library was discovered and the story has even made the mainstream news. Since millions of systems are affected and attackers are actively exploiting this vulnerability, affected systems need to be secured immediately. We have all the important information about it here.
What is Log4Shell or LogJam?
The Log4Shell vulnerability is a so-called zero-day vulnerability of the Log4j library, used in millions of applications written in Java. Zero-day means that this vulnerability is present in all versions of the library since its first release. Log4Shell is a remote code execution (RCE) vulnerability that allows attackers to execute code on affected systems and potentially gain control of the system. Log4J is a library for writing system logs, for example to document the error messages of an application. To exploit the vulnerability, attackers only need to get the system to write an entry in the log. They can then execute arbitrary code on the system. So this vulnerability is dangerous not only because it is used in millions of applications, but also because it can be very easily exploited.
Log4Shell and the Cloudogu EcoSystem
A large number of applications can be run on the Cloudogu EcoSystem. Some of these applications are also vulnerable to attacks using Log4Shell. The good news is that there are already new versions for the vulnerable tools in which the vulnerability is closed. So all you need to do is update the affected Dogus. Details about this and an up-to-date list of affected Dogus can be found in this post.
Log4Shell and SCM-Manager
Since neither the SCM-Manager tool itself nor the official plugins use the Log4j library, there is no vulnerability here. However, if you use plugins from external sources, i.e. plugins that were not installed via the tool’s plugin center, we can of course not guarantee that Log4j is not used in them. Here you can find instructions how to check your installation of SCM-Manager if you use external plugins: To the blog post.
Log4Shell and other applications
Besides our Cloudogu EcoSystem and SCM-Manager, there are of course many other applications that could potentially use the affected Log4j library. Even applications written by yourself may be affected. There are several ways to find out if you have a vulnerability:
- Our partner Snyk has IDE extensions that check code for vulnerabilities and provide resolution instructions. Read more about it in this blog post.
- Our partner Sonatype offers Nexus Lifecycle, a tool that monitors the complete supply chain of your software and identifies vulnerabilities. You can learn more about it at this this website.