Log4J zero day vulnerability

uomoe · March 21, 2022, 10:04pm

Is Duplicati vulnerable to the Log4J zero day vulnerability?

ts678 · March 21, 2022, 11:42pm

Welcome to the forum @uomoe

Log4j zero-day flaw: What you need to know and how to protect yourself

A flaw in Log4j, a Java library for logging error messages in applications

Duplicati is written in C# not Java. It has JavaScript too, but that’s not Java.

Xavron · March 22, 2022, 11:00am

It might be better to state if Duplicati uses Log4J. I don’t think it does. A whole lot of things do not. In fact, I would never use it in anything I create and a lot of others wouldn’t either.

ts678 · March 22, 2022, 1:01pm

There’s no sign of it in the source (link above, or download the whole thing, and search as you like).
This follows from the language comment. A Java library is made for use by a Java program, not C#.
It would also make no sense to use Log4j in a C# program, because there is already a log4net port.

Mixing different versions of managed code would also need two runtimes, not just .NET Framework
(or mono for non-Windows systems).which serves as a Common Language Runtime.for .NET code.
A Java virtual machine would be the equivalent of that for Java code, and Duplicati doesn’t use one.

EDIT:

If this means you create Java code, then you are more capable of looking for clues of use than I am. Duplicati encourages and relies on community for its existence and improvement. All, please chip in.

I have now checked the https://github.com/duplicati/ and https://github.com/kenkendk/ projects to see which languages are used. While I do see one in Java by the latter, I don’t think it’s in Duplicati, and even if it were somehow, I’m not seeing signs of Log4j in a GitHub source web search.

Searching all Duplicati dependencies down to the lowest levels is not practical, but to give an idea of “different ecosystems”, a Google search for log4net at the nuget.org repository of .NET apps finds numerous uses. This is not so for Log4j. For good measure, I also searched for 44228 which should
pick up any references to CVE-2021-44228 which is the identifier for this vulnerability per my first link.

Xavron · March 24, 2022, 3:50pm

Java and others yes. I also didn’t notice log4J in a quick Duplicati git search but that doesn’t mean they don’t use it somewhere else like with the server side of the remote connections like they do with Google Drive or even use Log4J based with another code language. Weird things get done.

I just don’t believe they are using it. Not everyone will. Asking doesn’t automatically mean they do. As such I wouldn’t care about researching it further.

To expand on that further anyway, for example there’s also log4net which is a .net implementation and was affected by vulnerability previously. It will likely see the same thing happen in time as log4j as this is the way it goes Apache Log4net : List of security vulnerabilities

There are others from Apache as well https://logging.apache.org/ not to mention others can take the code rename log4j to something else Forks · apache/logging-log4j2 · GitHub and that could be in use.

However, to note, I do use some Apache libraries. Just would never use log4j. That’s not my way of doing things there.