Posted on 2021-12-13 by René Pfeuffer
Hey SCM-Manager Community,
We're sure you've heard about the vulnerability in log4j called Log4Shell. As far as we can say, SCM-Manager is not affected by this, because log4j is not used in SCM-Manager (for logging, we use Logback).
However, if you have installed plugins from external sources, you can check whether log4j is used somewhere by running this little script using the script plugin:
If you get the following error, everything should be fine:
javax.script.ScriptException: javax.script.ScriptException: groovy.lang.MissingPropertyException: No such property: org for class: Script0
If log4j is available, you will get the name of the library.
On December, 14th the Logback team released a patch that removed a potential vulnerability. This can be exploited, if the attacker has write access to the logback configuration file. Although this should not be possible with SCM-Manager out of the box, we still recommend to upgrade to version 2.27.3 of SCM-Manager, where we have updated this dependency.