Investigate Log4shell impact

[ghost]

Expected result

Check if Log4shell vulnerability (CVE-2021-44228) impacts Kontent Java Packages.

Additional context

In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Resources

https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)

[ghost]

No. Kentico Kontent Java SDK is not impacted by Log4j vulnerability.
By investigation, we figure out that this SDK uses slf4j library that uses log4j under the hood. However, SKD doesn't log any user input that could lead to the exploitation of this vulnerability.

Short-term vision: The current version of SDK doesn't allow interaction with the logging engine and using it without any changes in logging is safe.

Long-term vision: Upgrade the logging engine to the latest version if it's possible or change the logging engine to be sure that any future changes in logging won't make it vulnerable