Log4j
Answered
Does the log4j vulnerability also affect PHPStorm?
Please sign in to leave a comment.
No, all IntelliJ platform IDEs are not affected by this.
According to this https://www.jetbrains.com/legal/third-party-software/?product=PS&version=2021.3 PhpStorm uses Log4j ver.1.2.x which is not maintained anymore, see https://logging.apache.org/log4j/1.2/ . Is it secure?
Yes, it's secure. 1.2.* versions don't make IJ-based IDEs vulnerable to the RCE.
Anyway, it is vulnerable as well - "A security vulnerability, https://www.cvedetails.com/cve/CVE-2019-17571/ has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2."
We're not using the SocketServer in our IDEs. Instead IDE uses a patched version of the library with problematic classes removed.
Thanks for clarifying things, Dmitry.
You're more than welcome!
That was very helpful. Thank you very much, Dmitry.
You may also this one (all products info):
https://youtrack.jetbrains.com/issue/IDEA-284795#focus=Comments-27-5648640.0-0
We are still having Log4j issues with our security team and the latest, PHPStorm 2022.1 or greater. See below. I'm having difficulty getting an answer from support. They keep saying that the offending code is no longer used. And we keep saying, we understand that but it's the mere presence in the build is the issue.
See issue (#3842631). See report attached.
Here is the report we get from our security scans.