Overview
This article addresses concerns regarding the presence of the log4j library in FogBugz, specifically in relation to vulnerabilities associated with it, such as CVE-2021-4104, CVE-2020-9488, CVE-2019-17571, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307. The key questions are:
- Do these impact FogBugz?
- Will future versions of FogBugz upgrade or exclude the log4j library to avoid potential security risks?
Solution
Based on the analysis of the reported vulnerabilities, the following points are noted:
- CVE-2021-4104 and CVE-2020-9488 are related to JMSAppender and SMTPAppender, respectively, which are not utilized in FogBugz.
- CVE-2019-17571 affects applications using SocketServer, a component not found in the Elasticsearch version used by FogBugz (1.6.2) or in the FogBugz source code.
- CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307 are related to vulnerabilities in functionalities like JNDI lookups and JDBCAppender, which are also not employed by FogBugz.
Given this analysis, while the log4j library is present in the on-premises version of FogBugz, the specific vulnerabilities mentioned do not impact the application due to the non-utilization of the vulnerable functionalities. Therefore, no immediate remediation action is required concerning these vulnerabilities in the context of FogBugz's usage of log4j.
However, the request to exclude or upgrade log4j in future versions of FogBugz has been raised to the product management team. The decision to remove or upgrade log4j in future versions will be reviewed and made by the product management team based on the overall assessment of risk and necessity.