Log4j

Answered

Does the log4j vulnerability also affect PHPStorm?

2
10 comments

No, all IntelliJ platform IDEs are not affected by this.

1
Avatar
Permanently deleted user

According to this https://www.jetbrains.com/legal/third-party-software/?product=PS&version=2021.3 PhpStorm uses Log4j ver.1.2.x which is not maintained anymore, see https://logging.apache.org/log4j/1.2/ .  Is it secure?

0

Yes, it's secure. 1.2.* versions don't make IJ-based IDEs vulnerable to the RCE. 

1
Avatar
Permanently deleted user

Anyway, it is vulnerable as well - "A security vulnerability, https://www.cvedetails.com/cve/CVE-2019-17571/  has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2."

0

We're not using the SocketServer in our IDEs. Instead IDE uses a patched version of the library with problematic classes removed.

1
Avatar
Permanently deleted user

Thanks for clarifying things, Dmitry.

0

You're more than welcome!

1
Avatar
Permanently deleted user

That was very helpful. Thank you very much, Dmitry.

0

We are still having Log4j issues with our security team and the latest, PHPStorm 2022.1 or greater. See below. I'm having difficulty getting an answer from support. They keep saying that the offending code is no longer used. And we keep saying, we understand that but it's the mere presence in the build is the issue.

See issue (#3842631). See report attached. 

Here is the report we get from our security scans. 

Plugin Output:
Plugin Output:
Path : /home/jschlies/bin/PhpStorm-212.5284.49/lib/util.jar
Installed version : 1.2.17
Synopsis: A logging library running on the remote host is no longer supported.
Description: According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached
 its end of life prior to 2016.
Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnera
bilities.
Solution: Upgrade to a version of Apache Log4j that is currently supported.
Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilitie
s and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.
apache.org/log4j/2.x/security.html for the latest versions.. 

0

Please sign in to leave a comment.