Inquiry on UiPath's logging framework - concerns on Log4Shell vulnerability

A good day to you. I wish to inquire if there is any concern from UiPath in regards to threat pose by the Apache Log4j vulnerability (Recently uncovered software flaw ‘most critical vulnerability of the last decade’ | Software | The Guardian). I know UiPath orchestrator runs on MS IIS and wanted to know what logging framework is used.

14 Likes

@michael_wong - thanks for asking. I would very much like to know this as well

Robots and Orchestrator are using NLog framework which is different from log4j

1 Like

Elasticsearch itself uses log4j though. Although it seems that most of the vulnerability has been mitigated. Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack

1 Like

Thanks for the link. Very useful. Following for updates

Insights will have been affected.

More information
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).

Affected versions:
Log4j versions 2.x prior to and including 2.14.1

According to the following post, UiPath is evaluating the impact

1 Like

I reached out to our CSM and have been provided the following communication for the time being.

The UiPath Security and Product Engineering teams are completing the exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228 and taking mitigation actions. At this time, UiPath has found no evidence of risk associated with this vulnerability for the following products:

  • Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.)
  • Orchestrator
  • Automation Hub (including Task Capture)
  • Data Services
  • Task Mining
  • Process Mining
  • Test Manager
  • Automation Ops
  • Action Center
  • Apps
  • AI Center
  • HAA
  • All UiPath Activity Packages published to the UiPath Official Feed
  • Automation Cloud supporting services not accessible by customers

The following products are still under investigation by UiPath:

  • Insights
  • Automation Suite supporting services

Customers using Elastic Search which is commonly leveraged alongside UiPath products should be aware that Elastic has announced that that versions 6.x and 7.x are mitigated, however customers should follow Elastic announcements via their blog.

5 Likes

good morning

do we know if this is effecting the Java Plugin (studio > Tools > Java)

1 Like

No, this is only for products / items that include log4j.

FYI another vulnerability for log4j was discovered CVE-2021-45046. It’s been addressed in the 2.16.0 as the original fix in 2.15.0 for CVE-2021-44228 was incomplete. – I’ve asked in the linked thread if this will be addressed in the same communication update.

tx. i had the same reply from UiPath support as well

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.