Katalon Response to the Log4J2 exploit (cve-2021-44228)

Apologies for writing this before doing my research (which I am just about to do), but I’ve just been alerted to a major exploit called Zeroday which affects users of Log4j prior to v2.15.0.
Looking in the Katalon installation files (plugins folder) I see “org.apache.log4j_1.2.15.v201012070815.jar” (version 1.2.15.v201012070815).
Does anyone have any information on whether this is an issue for Katalon users please?

For details, see Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet | Ars Technica

Also: Remote code injection in Log4j · CVE-2021-44228 · GitHub Advisory Database · GitHub

A quick update - I heard back from Katalon support that they are evaluating this impact. I read that this exploit only impacts Log4J v2, and not v1 (which is EOL), and it looks like v1 is what Katalon uses.

Confirmed:

But…


IBM Randori Recon

@duyluong @ThanhTo @devalex88 Can a dev please investigate and report back a definitive statement as to the likelihood of exposure to Katalon users?

1 Like

Tracking: https://www.randori.com/blog/cve-2021-44228/

Hi there,

Katalon Studio (KS, KSE and KRE) uses Log4J v1.2.15 as our dependences that may be impacted by this vulnerability, but the severity is pretty much lower. For more details, please refer to this explanation of Log4j2 team member.

Katalon Studio doesn’t use JMSAppender so the vulnerability (if any) may come from the libraries them self. We will consider updating the Log4j to v2.15.0+ as recommended but not ASAP for now.

6 Likes

Hi everyone

If you want to get rid of the Log4j versions before 2.15.0, you can use 8.2.3.beta. This beta release upgraded log4j to version 2.17.0.

Download it from our GitHub Repo at: https://github.com/katalon-studio/katalon-studio/releases/tag/v8.2.3.beta

During your usage, if you have any issues, please let us know. Thanks everyone!

Happy testing

Jass

Hi everyone,

The fix has been merged into official release: Katalon Studio 8.3.0.
Please see the Release note for more details.

Happy Testing!
Nam Nguyen.

1 Like