A good day to you. I wish to inquire if there is any concern from UiPath in regards to threat pose by the Apache Log4j vulnerability (Recently uncovered software flaw ‘most critical vulnerability of the last decade’ | Software | The Guardian). I know UiPath orchestrator runs on MS IIS and wanted to know what logging framework is used.
@michael_wong - thanks for asking. I would very much like to know this as well
Robots and Orchestrator are using NLog framework which is different from log4j
Elasticsearch itself uses log4j though. Although it seems that most of the vulnerability has been mitigated. Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack
Thanks for the link. Very useful. Following for updates
Insights will have been affected.
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).
Log4j versions 2.x prior to and including 2.14.1
According to the following post, UiPath is evaluating the impact
I reached out to our CSM and have been provided the following communication for the time being.
The UiPath Security and Product Engineering teams are completing the exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228 and taking mitigation actions. At this time, UiPath has found no evidence of risk associated with this vulnerability for the following products:
- Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.)
- Automation Hub (including Task Capture)
- Data Services
- Task Mining
- Process Mining
- Test Manager
- Automation Ops
- Action Center
- AI Center
- All UiPath Activity Packages published to the UiPath Official Feed
- Automation Cloud supporting services not accessible by customers
The following products are still under investigation by UiPath:
- Automation Suite supporting services
Customers using Elastic Search which is commonly leveraged alongside UiPath products should be aware that Elastic has announced that that versions 6.x and 7.x are mitigated, however customers should follow Elastic announcements via their blog.
do we know if this is effecting the Java Plugin (studio > Tools > Java)
No, this is only for products / items that include log4j.
FYI another vulnerability for log4j was discovered CVE-2021-45046. It’s been addressed in the 2.16.0 as the original fix in 2.15.0 for CVE-2021-44228 was incomplete. – I’ve asked in the linked thread if this will be addressed in the same communication update.
tx. i had the same reply from UiPath support as well
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.