Is Nexus3 vulnerable for log4j issue?

So, the main question is in the topic.

Please refer to the blog post for this answer: Critical New 0-day Vulnerability in Popular Log4j Library DiscoveredĀ  with Evidence of Mass Scanning for Affected Applications

1 Like

@plynch can you summarize. There is a lot of information in the linked blog about what the vulnerability is and how to address it in various scenarios. Only at the very end is a short statement that says Sonatype products do not use log4j. The implication is that Sonatype products are not vulnerable to this issue.

Searching the Nexus Repository configuration, for example, I find a Karaf configuration file that contains a log4j2 option. Can you confirm that, despite this, log4j is not in use?

Hi @lesley.j.kimmel! Sonatype products do not use log4j-core. This means our software, including Nexus Lifecycle, Nexus Firewall, Nexus Repository Manager OSS, and Nexus Repository Manager Pro in versions 2.x and 3.x, is NOT affected by CVE-2021-44228. We still advise keeping your software upgraded at the latest version.

Hello @mharwood ! Thank you for the reply. Does this mean that the Nexus Repository Manager does not configure the use of Log4j via properties or configuration or that the Log4j libraries are not even present in the installed product?

@lesley.j.kimmel we saw that same property in the Karaf configuration and did a deep dive. Our conclusion was that Karaf does not download log4j and we do not ship log4j-core with Nexus Repository Manager. Instead we use logback for our logging solution. As a result we are not affected by the log4j CVEs.

1 Like

An easy way to verify, in the Admin section of the UI there is an entry for Bundles. This provides information from the OSGi framework (Apache Felix) about the bundles in the running system.