Seeking update on log4j

Someone please update on the log4j. I checked v8.2.5 and found org.apache.log4j_1.2.15.v201012070815.jar is there and it does not have there log4j 2.17.0 in the v8.2.5 version although it had it in version 8.2.3. Thinking why the latest version does not have the latest release of log4j 2.17.1 ? Please suggest any update and want to know is it safe to use any of the recent release of the Katalon Studio ?

Did you try searching?

Sorry my bad, log4j 2.17.0 is there in Katalon v8.2.3. But I noticed its not there in the latest release 8.2.5. Rather it has log4j 1.2.15. May i know why ?

That must be a build issue (@duyluong, @ThanhTo, @devalex88) because it was supposed to have been updated to v2.x.

@duyluong the link you posted previously has been updated to include v1.x vulnerabilities.

Can you post a screenshot of what youā€™re seeing?

@ami.das

Katalon Studio v8.2.5 doesnā€™t include Log4J 2.17.0 upgrade in v8.2.3.beta.

We planed to update Log4J v2.17.1 (the complete version to fix Log4Shell) in v8.3.0.

Thanks for the update. May i know when 8.3.0 will be coming ? This is urgent. Please respond ASAP. Thanks

@Russ_Thomas
The following is from v8.2.3 (ā€¦\configuration\resources\lib)
image

And this is from 8.2.5:

  1. No log4j jar in ā€¦\configuration\resources\lib directory
  2. The following i found in \plugins:

Wondering why we dont have the 2.17.0 log4j in v8.2.5 ? Also please suggest when 8.3.0 will be coming in ? This is a bit urgent!

1 Like

As to what happened to leave log4j 2x out of Katalon 5.2.5, this is just an educated guessā€¦

There were a number of code branches in various states of development released prior to the release of 8.2.5, as evidenced by the number of alpha and beta releases leading up to its release. When the eventual merge took place to produce 8.2.5, the branch containing the new log4j (8.2.3) was left out, either deliberately or mistakenly. If it was deliberate, there would be good reasons for the decision.

You can see all releases and part-way follow the history, here: https://github.com/katalon-studio/katalon-studio/releases

Itā€™s unfortunate that 8.2.3.beta only carries a pre-release tag which doesnā€™t help figure out which release it is targeting (other than 8.2.3 which never saw the light of day, as weā€™ve seen).

My supposition: this was a merge mistake.

If thatā€™s true, Iā€™d expect Katalon to release 8.2.5.1 or 8.2.6 soon, which would be sooner than waiting for whatever else 8.3 might be targeting.

Thanks @Russ_Thomas for the update. Yes i would request to release the next version as soon as possible. Our Security compliance management team wonā€™t let us use the version having any vulnerability. btw, can you tell me what will be the impact if we use the 8.2.5 by removing the org.apache.log4j_1.2.15.v201012070815.jar from current version 8.2.5 ? I am not sure if we can go without that!

Itā€™s likely to cause exceptions and/or crash Katalon.

Why not drop back to 8.2.3 beta?

Our company security compliance team informed to go with 2.17.1 of log4j thats why we didnā€™t install Katalon 8.2.3 beta. Would be great if you can give me an estimated date of the next Katalon release.

Iā€™m a user, like you :neutral_face:

@duyluong Any comment?

Thanks @Russ_Thomas

@duyluong any idea when 8.3.0 will be released that will have log4j 2.17.1 ?

@ami.das @Russ_Thomas

The ETA of v8.3.0 is the end of March and the beta version will available this week.

1 Like

@ami.das 8.3.0 beta has been released. Seeā€¦

1 Like