You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by surbhi khandelwal <su...@gmail.com> on 2021/12/12 01:43:43 UTC
CVE-2021-44228 log4j vulnerability
Hi
I am using svn, version 1.6.11 (r934486) on rhel 1.6 could you kindly
help me understand if this is vulnerable to the latest java vulnaribility
Httpd version im using is 2.2.15
Looking for your help
Re: CVE-2021-44228 log4j vulnerability
Posted by Mark Phippard <ma...@gmail.com>.
On Sun, Dec 12, 2021 at 7:31 AM Pavel Lyalyakin
<pa...@visualsvn.com> wrote:
>
> On Sun, Dec 12, 2021 at 5:34 AM surbhi khandelwal <su...@gmail.com> wrote:
>>
>> Hi
>>
>> I am using svn, version 1.6.11 (r934486) on rhel 1.6 could you kindly help me understand if this is vulnerable to the latest java vulnaribility
>>
>>
>> Httpd version im using is 2.2.15
>>
>> Looking for your help
>>
>>
>
> Apache Subversion and Apache HTTP Server are not Java applications. Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not depend on log4j either.
>
> Note that you are using outdated Subversion and Apache HTTP Server versions. They are affected by numerous issues, and you should consider upgrading to supported versions. The most recent versions are Subversion 1.14.1 and Apache HTTP Server 2.4.51.
I was typing up the same reply ... neither Subversion nor httpd would
be directly impacted by this but you are running old versions with
other problems so you should look to upgrade. The log4j vulnerability
only impacts apps that use a JVM, so in terms of Subversion you would
probably just want to look for any web apps you might be using with
your Subversion server such as a repository browser or other tool that
is written in Java. But a vanilla Subversion server (or client) should
be fine.
Mark
Re: CVE-2021-44228 log4j vulnerability
Posted by Bo Berglund <bo...@gmail.com>.
On Mon, 13 Dec 2021 11:55:18 +0300, Pavel Lyalyakin
<pa...@visualsvn.com> wrote:
>The vulnerability CVE-2021-44228 in the Java-based library Log4j affects
>Java-based products that depend on the Log4j library. As I said above,
>Apache Subversion is not a Java application and it does not use Log4j.
>VisualSVN Server is also not a Java application and it does not use Log4j.
Thanks you for verifying this to me!
Much obliged. :)
--
Bo Berglund
Developer in Sweden
Re: CVE-2021-44228 log4j vulnerability
Posted by Pavel Lyalyakin <pa...@visualsvn.com>.
On Mon, Dec 13, 2021 at 1:35 AM Bo Berglund <bo...@gmail.com> wrote:
> On Sun, 12 Dec 2021 15:30:20 +0300, Pavel Lyalyakin
> <pa...@visualsvn.com> wrote:
>
> >Apache Subversion and Apache HTTP Server are not Java applications.
> >Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not
> >depend on log4j either.
>
> Sounds good.
>
> We are using VisualSVN on our main SVN server running on Windows Server
> 2016:
>
> H:\>svnadmin --version
> svnadmin, version 1.9.7 (r1800392)
> compiled Nov 21 2017, 12:52:53 on x86_64-microsoft-windows6.1.7601
>
> It has no exposure to the Internet, just sits on the LAN.
>
>
> We have a backup server off-site running on Ubuntu Server 20.04.3:
>
> $ svnadmin --version
> svnadmin, version 1.13.0 (r1867053)
> compiled Mar 24 2020, 12:33:36 on x86_64-pc-linux-gnu
>
> The latter is svnsync'ed from VisualSVN every night and is fully updated.
> It has no public interface, set to readonly except for the svnsync calls.
>
> Do we need to do anything for the "log4j" vulnerability?
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
The vulnerability CVE-2021-44228 in the Java-based library Log4j affects
Java-based products that depend on the Log4j library. As I said above,
Apache Subversion is not a Java application and it does not use Log4j.
VisualSVN Server is also not a Java application and it does not use Log4j.
--
With best regards,
Pavel Lyalyakin
VisualSVN Team
Re: CVE-2021-44228 log4j vulnerability
Posted by Bo Berglund <bo...@gmail.com>.
On Sun, 12 Dec 2021 15:30:20 +0300, Pavel Lyalyakin
<pa...@visualsvn.com> wrote:
>Apache Subversion and Apache HTTP Server are not Java applications.
>Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not
>depend on log4j either.
Sounds good.
We are using VisualSVN on our main SVN server running on Windows Server 2016:
H:\>svnadmin --version
svnadmin, version 1.9.7 (r1800392)
compiled Nov 21 2017, 12:52:53 on x86_64-microsoft-windows6.1.7601
It has no exposure to the Internet, just sits on the LAN.
We have a backup server off-site running on Ubuntu Server 20.04.3:
$ svnadmin --version
svnadmin, version 1.13.0 (r1867053)
compiled Mar 24 2020, 12:33:36 on x86_64-pc-linux-gnu
The latter is svnsync'ed from VisualSVN every night and is fully updated.
It has no public interface, set to readonly except for the svnsync calls.
Do we need to do anything for the "log4j" vulnerability?
--
Bo Berglund
Developer in Sweden
Re: CVE-2021-44228 log4j vulnerability
Posted by Pavel Lyalyakin <pa...@visualsvn.com>.
On Sun, Dec 12, 2021 at 5:34 AM surbhi khandelwal <su...@gmail.com>
wrote:
> Hi
>
> I am using svn, version 1.6.11 (r934486) on rhel 1.6 could you kindly
> help me understand if this is vulnerable to the latest java vulnaribility
>
>
> Httpd version im using is 2.2.15
>
> Looking for your help
>
>
>
Apache Subversion and Apache HTTP Server are not Java applications.
Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not
depend on log4j either.
Note that you are using outdated Subversion and Apache HTTP Server
versions. They are affected by numerous issues, and you should consider
upgrading to supported versions. The most recent versions are Subversion
1.14.1 and Apache HTTP Server 2.4.51.
--
With best regards,
Pavel Lyalyakin
VisualSVN Team