Apologies for writing this before doing my research (which I am just about to do), but I’ve just been alerted to a major exploit called Zeroday which affects users of Log4j prior to v2.15.0.
Looking in the Katalon installation files (plugins folder) I see “org.apache.log4j_1.2.15.v201012070815.jar” (version 1.2.15.v201012070815).
Does anyone have any information on whether this is an issue for Katalon users please?
A quick update - I heard back from Katalon support that they are evaluating this impact. I read that this exploit only impacts Log4J v2, and not v1 (which is EOL), and it looks like v1 is what Katalon uses.
Katalon Studio (KS, KSE and KRE) uses Log4J v1.2.15 as our dependences that may be impacted by this vulnerability, but the severity is pretty much lower. For more details, please refer to this explanation of Log4j2 team member.
Katalon Studio doesn’t use JMSAppender so the vulnerability (if any) may come from the libraries them self. We will consider updating the Log4j to v2.15.0+ as recommended but not ASAP for now.