Remote code execution vulnerability due to use of Log4j2
Affected product(s)
- Gradle Enterprise < 2021.3.6
- Gradle Enterprise Test Distribution Agent < 1.6.2
- Build Cache Node < 10.1
Severity
Critical
Published at
2021-12-13 (last updated on 2022-01-13)
Related CVE ID(s)
Description
Gradle Enterprise components use the Apache Log4j library, which for versions <= 2.14.1 contains a critical flaw, reported as CVE-2021-44228, that allows remote code execution in the host application.
This vulnerability is applicable to Gradle Enterprise server components, including the Test Distribution Agent and Build Cache Node. The Gradle Enterprise Gradle Plugin, the Gradle Enterprise Maven Extension, and the Test Distribution Gradle Plugin are unaffected.
This is a serious vulnerability that is prevalent in many Java-based applications. For more information, please see https://www.lunasec.io/docs/blog/log4j-zero-day/.
Additionally, a vulnerability against Log4j 2.16.0, reported as CVE-2021-45105, was discovered. Gradle Enterprise, the Gradle Enterprise Test Distribution Agent and the Gradle Enterprise Build Cache Node are not vulnerable to CVE-2021-45105 as they do not use the vulnerable log format pattern.
Later, another vulnerability against Log4j 2.17.0 was reported as CVE-2021-44832. Gradle Enterprise, the Gradle Enterprise Test Distribution Agent and the Gradle Enterprise Build Cache Node are not vulnerable to CVE-2021-44832 as logging configuration files are always loaded from the local disk and cannot be modified.
Gradle Enterprise users are strongly encouraged to update their components as described below.
Mitigation
The best mitigation is to ensure that you are using at least the following versions of Gradle Enterprise components:
- Gradle Enterprise 2021.3.7
- Gradle Enterprise Test Distribution Agent 1.6.3
- Gradle Enterprise Build Cache Node 10.2
These versions use an updated version of Log4j (2.16.0) that is not vulnerable to CVE-2021-44228 and CVE-2021-45046.
Using at least the following versions of Gradle Enterprise components will use Log4j 2.17.0:
- Gradle Enterprise 2021.4
- Gradle Enterprise Test Distribution Agent 1.6.4
- Gradle Enterprise Build Cache Node 11.0
Using at least the following versions of Gradle Enterprise components will use Log4j 2.17.1:
- Gradle Enterprise 2021.4.1
- Gradle Enterprise Test Distribution Agent 1.6.5
- Gradle Enterprise Build Cache Node 11.1
Alternatively, with respect to CVE-2021-44228, the Log4j feature that is vulnerable can be disabled by applying a JVM system property to each Gradle Enterprise component.
Gradle Enterprise
As a logged in administrator, use the top right navigation menu to access the “Administration → Advanced” section (or visit /admin/advanced of your server directly).
For each of the “Additional JVM options” fields, please add -Dlog4j2.formatMsgNoLookups=true (with a space between any preceding existing values).
After clicking “Save”, you will be prompted to initiate a restart of the server.
Note: if you are using an unattended installation mechanism that creates pre-configured installations, you will need to update the configuration file used when creating these installations.
Test Distribution Agent
If using the agent JAR file directly, amend the command used to start the process by adding -Dlog4j2.formatMsgNoLookups=true to the command before the -jar argument.
If using the provided Docker image, start the container with the environment variable TEST_DISTRIBUTION_AGENT_OPTS="-Dlog4j2.formatMsgNoLookups=true -Xms64m -Xmx64m -XX:MaxMetaspaceSize=64m".
Build Cache Node
If using the node JAR file directly, amend the command used to start the process by adding -Dlog4j2.formatMsgNoLookups=true to the command before the -jar argument.
If using the provided Docker image, start the container with the environment variable JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true".
Further assistance
If you have any questions or need any assistance in applying the mitigations please contact Gradle Enterprise support or your customer success representative.