On Friday 10 December 2021 NIST published CVE-2021-44228 describing a vulnerability in Log4j. Since that time we have had a number of customers contacting our Support Team to ask if Chocolatey products are vulnerable.
Apache provide Log4j, a very popular Java based logging library. The CVE NIST published identified an issue in the JNDI features of versions 2.0.0 to 2.14.1 of Log4j. Several Chocolatey products use log4net, a .NET logging library also from Apache. While it has a similarly sounding name, it is not vulnerable and has no known security vulnerabilities at the time of this writing.
Are Chocolatey Products Affected?
Chocolatey products do not run on, or use, Java and do not use the Log4j logging library. The Chocolatey For Business products below are therefore NOT vulnerable:
- Chocolatey CLI
- Chocolatey Licensed Extension
- Chocolatey Agent
- Chocolatey GUI
- Chocolatey GUI Licensed Extension
- Chocolatey Central Management
While we call out the above Chocolatey For Business products specifically, no Chocolatey products, business or open-source, use the Log4j logging library and are therefore NOT vulnerable.
Chocolatey For Business Quick Deployment Environment (QDE)
Our Quick Deployment Environment enables customers to get up and running with Chocolatey For Business in as little as 20 minutes. We provide this in Azure and also as a Quick Start Guide. In the past we have also provided this as a virtual machine image that you can import into your hypervisor of choice.
Whatever flavour of QDE you have, it has three components which we have confirmed are NOT vulnerable.
Sonatype Nexus Repository OSS
Sonatype have confirmed that Nexus uses the logback logging library and not Log4j and is therefore not vulnerable. Sonatype provides more information on it's website and we have used the code in that article to verify both our Azure and virtual machine QDE environments.
The Jenkins team have confirmed that Jenkins Core does not use the Log4j logging library and they provide more information on their website. However, the Jenkins team do point out that plugins added to Jenkins may include Log4j.
The Chocolatey For Business QDE environments include additional Jenkins plugins and we have used the methods provided in the article to confirm that they are NOT vulnerable. If you have added plugins to Jenkins in your QDE environment then you will need to use the methods Jenkins provide to confirm the vulnerability of those plugins. Chocolatey is not responsible for any plugins that have been added to your QDE environment.
Chocolatey Central Management
As confirmed above, Chocolatey Central Management does not run on, or use, Java and is therefore NOT vulnerable.
SQL Server Express (QDE Virtual Machine Image)
As mentioned above, we have in the past provided QDE as a virtual machine image that you can import into your hypervisor of choice. This image uses SQL Server Express as the database for Chocolatey Central Management.
While the current Log4j vulnerabilities are for versions 2.0.0 to 2.14.1, NIST has recently created a CVE for a Log4j vulnerability in version 1.2. While Chocolatey products do not run on, or use Java, SQL Server includes version 1.2.17 of Log4j at the path
C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\. Microsoft have provided some general guidance on Log4j2, along with guidance specifically for SQL Server confirming that the JAR files should be removed if they are not required. It would also appear that these libraries are only used if Java is used to interact with SQL Server. See the following posts for more information on this issue:
Apache provides more information on version 1.x of Log4j:
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
We recommend concerned customers manually move the Log4j files, provided with SQL Server in
C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars, to a Zip archive. Once the files have been moved from the file system to the Zip archive, restart the Chocolatey Central Management SQL Server instance and monitor until you are sure there are no issues. If you experience issues, the files can be restored from the Zip archive and restart the SQL Server instance again.
The most common repository managers used with Chocolatey are Sonatype Nexus and JFrog Artifactory and we recommend both of those products to customers. While we have confirmed that Sonatype Nexus is not vulnerable above, we wanted to also confirm JFrog Artifactory is also NOT vulnerable.
Forescout have put together an analysis of the ongoing Log4j issues that provides more technical information.
We hope this post answers your question as to whether Chocolatey products are vulnerable. However, if you are a Chocolatey For Business customer and have more questions, please reach out to our Support Team as normal. You can find out your options on how to do so by running
choco support from the command line.
- #news 63 Number of post with tag news
- #press release 51 Number of post with tag press release
- #chocolatey for business 29 Number of post with tag chocolatey for business
- #open source 14 Number of post with tag open source
- #chocolatey community repository 7 Number of post with tag chocolatey community repository
- #chocolatey central management 6 Number of post with tag chocolatey central management
- #packaging 6 Number of post with tag packaging
- #chocolatey cli 5 Number of post with tag chocolatey cli
- #how to 5 Number of post with tag how to
- #announcements 3 Number of post with tag announcements