GrammaTech has actively responded to the remote code execution vulnerability in the Apache log4j 2 Java library dubbed Log4Shell (or LogJam). We have investigated and taken action for GrammaTech products that may be potentially impacted, and as listed below we continually publish information to help customers detect, investigate and mitigate attacks, if any, to their GrammaTech products and services.
CodeSonar's Java and .NET analyses use log4j. The possible attack vector would be through analysis of malicious java or .NET code that has been crafted to take advantage of this vulnerability. It is important to note *no* network servers are affected.
This release includes log4j 2.17.0 which resolves the threat posed by remote code execution and does not require any changes.
CodeSonar 6.0 and 6.1
Customers not analyzing java or .NET code (i.e., running cs-java-scan or cs-dotnet-scan) are not affected. Customers not analyzing java or .NET code can delete codesonar-CodeSonar_DIR/csurf/lib/codesonarj-cli-pp/log4j-*.jar to silence complaints from vulnerability scanning tools, without fear of breaking CodeSonar.
Customers who are analyzing Java or .NET code should mitigate the risk by using a patched release of CodeSonar. If you are not using a patched installer removing the JndiLookup and JndiManager classes from CodeSonar_DIR/csurf/lib/codesonarj-cli-pp/log4j-core.jar would eliminate risk, but may or may not cause CodeSonar to experience errors.
CodeSonar 5.4 and earlier
With CodeSonar 5.4 and earlier, log4j is only used if cs-java-scan or cs-dotnet-scan is used with the '-julia-analyze' command line flag. To silence complaints from vulnerability scanning tools, one can delete codesonar-5.4p0/third-party/julia-tools/lib/log4j-*.jar and codesonar-5.4p0/third-party/julia-sarif/lib/log4j-*.jar. As long as '-julia-analyze' is not used, CodeSonar functionality will not be impaired.
If you are using Standalone CodeSonar 3.2 (Java/C#) or JuliaSoft 3.0 then the advice is to move to a supported release of CodeSonar, namely 6.x. If you require assistance in upgrading please submit a ticket.
Patched Installer Updates
The following timelines for patched releases can be found below.
As per the Apache home page, the fix to CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. In version 2.16.0, Log4j disables access to JNDI by default, see CVE-2021-45046. In version 2.17.0, there is a fix, so does not always protect from infinite recursion in lookup evaluation, see CVE-2021-45105.
|Version||Log4j Version||Release Timeline|
|CodeSonar 6.2 (New Release - source & binary)||
p1 included 2.17.0
p2 included 2.17.1
p2 released Friday 7th January 2022, which has superseded p1
|CodeSonar 6.1 (source & binary)||
p3 included 2.17.0
p3 released Wednesday 22nd Dec 2021 and has superseded p2
|CodeSonar 6.0 (for source only)||
p2 included 2.17.0
p2 released Thursday 23rd Dec 2021 and superseded p1
|Earlier Versions beyond 6.0||
|Only active releases will be patched, see Product Support matrix|
Downloading Updated Installers
Downloading CodeSonar for Source can be done here
Download CodeSonar for Binaries can be done here
Latest Log4j Updates
In version 2.17.0, a vulnerability to RCE via JDBC Appender when attacker controls configuration, see CVE-2021-44832 was reported and the following advice is available to customers.
GrammaTech has carefully evaluated the risk of the most recently reported vulnerability in log4j. Based on the fact that the exploit requires elevated privilege and direct access to the configuration of log4j in CodeSonar, we have assessed the risk to our users as low.
On Friday 7th January 2022, CodeSonar 6.2p2 was released which now includes log4j 2.17.1 and supersedes 6.2p1 which was released on Tuesday 21st December 2021. At this time no further patching will take place on any supported version of CodeSonar which includes 6.1p3 and 6.0p2.
We will assess and update alternative strategies, and will update our plans for future remediation if there are any changes to log4j.
If you do have any other questions or concerns please submit a ticket.
Article Change History
|Modification Date||Changes Performed|
|12/15/2021||Added "codesonar-5.4p0/third-party/julia-sarif/lib/log4j-*.jar." to CodeSonar 5.4 and earlier.|
|12/15/2021||Added Patched Installer Updates Table.|
|12/15/2021||Enabled comments to be added to article which will generate email notifications.|
|12/15/2021||Added Article Change History Table.|
|12/16/2021||Updated text under Patched Installer Updates. Further delays for CodeSonar patched installers but provisional date set for CodeSonar 6.1.|
|12/16/2021||Timelines for 6.0/6.1/6.2 updated in Patched Installer Updates|
|12/17/2021||Remove references of log4j v2.15.0 which will NOT be included in patched installers.|
|12/17/2021||CodeSonar 6.1p2 is now available to download, see Patched Installer Updates|
|12/20/2021||Apache Updates for log4j and revised timelines for patched/unpatched CodeSonar versions, see Patched Installer Updates|
|12/20/2021||Added Downloading Updated Installers and CodeSonar 6.2p0 is now available for download, see Patched Installer Updates|
|12/21/2021||CodeSonar 6.2p1 has superseded p0 and is now available for download, timelines for 6.1p3 and 6.0p2 have been added, see Patched Installer Updates|
|12/22/2021||CodeSonar 6.1p3 has superseded p2 and is now available for download, timeline for 6.0p2 have been updated, see Patched Installer Updates|
CodeSonar 6.0p2 has superseded p1 and is now available for download, see Patched Installer Updates.
All supported versions of CodeSonar have now been patched with log4j 2.17.0.
Added CodeSonar 6.2
Revised wording across the article to ensure language is accurate because patched installers have now been completed for all supported releases of CodeSonar.
Apache Updates for log4j, see CVE-2021-44832 and 2.17.1 which was released on 12/28/2021.
Currently assessing impact of new vulnerability and whether any changes are needed to CodeSonar supported versions.
Added Latest Log4j Updates in regards to log4j 2.17.1
Updated CodeSonar 5.4 and earlier in respect to Standalone CodeSonar 3.2 (Java/C#) and legacy Juliasoft customers.
|1/7/2022||CodeSonar 6.2p3 has superseded p2 and is now available for download, see Patched Installer Updates and Latest Log4j Updates|
|1/12/2022||Minor language changes to Latest Log4j Updates explaining what updates will be made on strategy if there are any changes in log4j.|
We recommend you follow the support advisory section and this article to receive email updates on when comments are added to this article.