Summary

On the 9th of December, a Remote Code Execution exploit CVE-2021-44228 was discovered in a popular Java logging library called Log4j2. It became widespread and known to have been exploited in the wild. This incident was created for further investigation and response to fully understand and respond to the potential attacks on Katalon assets. Based on our internal review, Katalon users are not affected by this vulnerability.

TestOps

Katalon TestOps is not affected by this vulnerability. TestOps uses the default implementation of Spring Boot (implemented Logback through SLF4J for logging). As noted by the Spring Boot team: "Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2.”

Any vulnerability that might exist in TestOps has been mitigated to some extent in its Web Application Firewall (WAF) controls, which have been updated to block requests embedding known attacks on this vulnerability.

As of 13 December 2021, TestOps has been upgraded to include Log4J v2.15.0 in its dependencies. In combination with the WAF controls noted above, these corrective actions should completely mitigate any exposure in TestOps.

Studio

Katalon Studio uses Log4J v1.2.15. This version is not as vulnerable as the version identified in the CVE—particularly given that we are not using the JMSAppender. 

Everything that applies to KSE also applies to KRE.

KS 8.2.3.beta packed with Log4j version 2.17.0 is now available!

This beta release upgraded log4j to version 2.17.0.

Download it from our GitHub Repo at: https://github.com/katalon-studio/katalon-studio/releases/tag/v8.2.3.beta

We are encouraging our users to download and use 8.2.3.beta. During your usage, please do let us know of any feedback that you have with this version.