Posted on 2021-12-13 by René Pfeuffer

Hey SCM-Manager Community,

We're sure you've heard about the vulnerability in log4j called Log4Shell. As far as we can say, SCM-Manager is not affected by this, because log4j is not used in SCM-Manager (for logging, we use Logback).

However, if you have installed plugins from external sources, you can check whether log4j is used somewhere by running this little script using the script plugin:

println org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

If you get the following error, everything should be fine:

javax.script.ScriptException: javax.script.ScriptException: groovy.lang.MissingPropertyException: No such property: org for class: Script0

If log4j is available, you will get the name of the library.

Feel free to contact us if you have further questions. You can contact the DEV team directly on GitHub and make sure to check out our new community platform.

Update (2021-12-15)

On December, 14th the Logback team released a patch that removed a potential vulnerability. This can be exploited, if the attacker has write access to the logback configuration file. Although this should not be possible with SCM-Manager out of the box, we still recommend to upgrade to version 2.27.3 of SCM-Manager, where we have updated this dependency.

Posted in scm-manager, security, release