-
|
Hello guys, Many thanks in advance! Best regards |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi! No, Gitblit is not affected. It uses log4j, but version 1.2.17, which is not affected. The vulnerable log4j versions start at log4j version 2.0. To reach a similar effect with log4j 1.2.x a distinctive custom configuration of log4j needs to be set up (via JMSAppender). Gitblit does not make use of that in it's configuration and is thus not affected. If using Gitblit with its default settings, you will have no problem. Only if you have changed the log4j configuration in an exploitable way for your use case will you have to fix that. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much! Here is also the confirmation about log4j 1.x: http://slf4j.org/log4shell.html. |
Beta Was this translation helpful? Give feedback.
Hi!
No, Gitblit is not affected. It uses log4j, but version 1.2.17, which is not affected. The vulnerable log4j versions start at log4j version 2.0.
To reach a similar effect with log4j 1.2.x a distinctive custom configuration of log4j needs to be set up (via JMSAppender). Gitblit does not make use of that in it's configuration and is thus not affected.
If using Gitblit with its default settings, you will have no problem. Only if you have changed the log4j configuration in an exploitable way for your use case will you have to fix that.
Also, you should protect your installation against attempts to deposit an exploitable log4j configuration file.