On Friday 10 December 2021 NIST published CVE-2021-44228 describing a vulnerability in Log4j. Since that time we have had a number of customers contacting our Support Team to ask if Chocolatey products are vulnerable.

Apache provide Log4j, a very popular Java based logging library. The CVE NIST published identified an issue in the JNDI features of versions 2.0.0 to 2.14.1 of Log4j. Several Chocolatey products use log4net, a .NET logging library also from Apache. While it has a similarly sounding name, it is not vulnerable and has no known security vulnerabilities at the time of this writing.

Are Chocolatey Products Affected?

Chocolatey products do not run on, or use, Java and do not use the Log4j logging library. The Chocolatey For Business products below are therefore NOT vulnerable:

  • Chocolatey CLI
  • Chocolatey Licensed Extension
  • Chocolatey Agent
  • Chocolatey GUI
  • Chocolatey GUI Licensed Extension
  • Chocolatey Central Management

While we call out the above Chocolatey For Business products specifically, no Chocolatey products, business or open-source, use the Log4j logging library and are therefore NOT vulnerable.

Chocolatey For Business Quick Deployment Environment (QDE)

Our Quick Deployment Environment enables customers to get up and running with Chocolatey For Business in as little as 20 minutes. We provide this in Azure and also as a Quick Start Guide. In the past we have also provided this as a virtual machine image that you can import into your hypervisor of choice.

Whatever flavour of QDE you have, it has three components which we have confirmed are NOT vulnerable.

Sonatype Nexus Repository OSS

Sonatype have confirmed that Nexus uses the logback logging library and not Log4j and is therefore not vulnerable. Sonatype provides more information on it's website and we have used the code in that article to verify both our Azure and virtual machine QDE environments.

Jenkins

The Jenkins team have confirmed that Jenkins Core does not use the Log4j logging library and they provide more information on their website. However, the Jenkins team do point out that plugins added to Jenkins may include Log4j.

The Chocolatey For Business QDE environments include additional Jenkins plugins and we have used the methods provided in the article to confirm that they are NOT vulnerable. If you have added plugins to Jenkins in your QDE environment then you will need to use the methods Jenkins provide to confirm the vulnerability of those plugins. Chocolatey is not responsible for any plugins that have been added to your QDE environment.

Chocolatey Central Management

As confirmed above, Chocolatey Central Management does not run on, or use, Java and is therefore NOT vulnerable.

SQL Server Express (QDE Virtual Machine Image)

As mentioned above, we have in the past provided QDE as a virtual machine image that you can import into your hypervisor of choice. This image uses SQL Server Express as the database for Chocolatey Central Management.

While the current Log4j vulnerabilities are for versions 2.0.0 to 2.14.1, NIST has recently created a CVE for a Log4j vulnerability in version 1.2. While Chocolatey products do not run on, or use Java, SQL Server includes version 1.2.17 of Log4j at the path C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\. Microsoft have provided some general guidance on Log4j2, along with guidance specifically for SQL Server confirming that the JAR files should be removed if they are not required. It would also appear that these libraries are only used if Java is used to interact with SQL Server. See the following posts for more information on this issue:

Apache provides more information on version 1.x of Log4j:

:choco-info: NOTE

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

We recommend concerned customers manually move the Log4j files, provided with SQL Server in C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars, to a Zip archive. Once the files have been moved from the file system to the Zip archive, restart the Chocolatey Central Management SQL Server instance and monitor until you are sure there are no issues. If you experience issues, the files can be restored from the Zip archive and restart the SQL Server instance again.

Other Products

The most common repository managers used with Chocolatey are Sonatype Nexus and JFrog Artifactory and we recommend both of those products to customers. While we have confirmed that Sonatype Nexus is not vulnerable above, we wanted to also confirm JFrog Artifactory is also NOT vulnerable.

Forescout have put together an analysis of the ongoing Log4j issues that provides more technical information.

We hope this post answers your question as to whether Chocolatey products are vulnerable. However, if you are a Chocolatey For Business customer and have more questions, please reach out to our Support Team as normal. You can find out your options on how to do so by running choco support from the command line.


comments powered by Disqus