While Conduktor Desktop was not affected by the latest CVE discovered in Log4J v2, this event helped the JVM community notice some similar, yet less severe vulnerabilities, present in Logback, the SLF4J implementation used at Conduktor and shipped with Conduktor Desktop.
We became aware of this vulnerability, CVE-2021-44228, when it was announced late last week and immediately conducted a comprehensive analysis of our build to identify any resources using the Apache Log4J logging library.
This analysis showed that;
We were not vulnerable to this CVE (confirmed by an analysis made with Snyk on version v2.19.3 of Conduktor Desktop)
None of our dependencies were dependent on Log4j v2.
Conduktor Desktop and the libraries used in Conduktor Desktop were not, and are not, using Log4j v2.
Our analysis did, however, identify some potential issues with Logback v1.2.7 and Log4J v1.
As explained by the Logback team here, the versions before v1.2.8 of Logback were affected by some security issues fixed in v1.2.8 and later.
Prior versions of Conduktor Desktop are shipped with Logback v1.2.7 which contains some security issues.
Logback also released a new v1.2.9 version yesterday (2021.12.16), hardening its code and preventing new potential security issues.
The latest version of Conduktor Desktop, v2.20.1, ships with Logback v1.2.9 to ensure maximum security for our clients.
Another potential issue affecting Conduktor Desktop prior to v2.20.0 was that some dependencies were using Log4J v1, which is not affected by the latest Log4J v2 CVE, but is unmaintained and may contain some security issues too.
To fix this issue, all the dependencies on Log4J have been filtered out of Conduktor Desktop.
Conduktor Desktop was not affected by the latest CVE discovered in Log4J v2,
All the dependencies on Log4J v1 have been removed in the v2.20.0+
The latest version of Logback is shipped in our latest release, v2.20.1.
At Conduktor, safeguarding the security of our users’ data is at the heart of everything we do. We work hard to improve the app with each new version and as such, we always recommend updating to the latest version of Conduktor to ensure maximum security.