Last update: 2022-05-19
QF-Test and the QF-Test license server are not vulnerable to Log4shell attack CVE-2021-44228
In the last days, a vulnerability in the popular open source library log4j has been reported, nick-named Log4shell. QF-Test is not (and has not) been vulnerable to this attack, for a number of reasons:
- QF-Test does not directly use log4j, but has always used its own logging system which does not allow any string interpretation or code evaluation.
- The JREs bundled with QF-Test – Oracle JDK and OpenJDK – have shipped with a default setting that should prevent exploitation since Oracle JRE 8u121 in 2019, the variable
com.sun.jndi.rmi.object.trustURLCodebaseis set tofalseornullby default, disallowing access to remote resources, and it is not changed by QF-Test. Our software currently ships with JRE 8u292. - Normally QF-Test is not executed in a server mode, so intruders cannot inject any string with malicious content. But also in daemon or license server mode QF-Test does not require any log4j classes.
- None of the third-party libraries shipped with QF-Test contain log4j in any version vulnerable to the log4shell attack*. This has been verified by us as described below for all current and past official QF-Test versions back to QF-Test 3.4.11 which predates the first vulnerable log4j version 2.0beta9.
*) The log4j classes, which were embedded in the bundled version of the external ui-automation library before QF-Test 6.0.0 are known to not be vulnerable to the CVE-2021-44228 attack.
How to verify yourself that no vulnerable version of log4j is in use
To verify that no vulnerable version of log4j is bundled with QF-Test, you can use the Log4j detector tool. First, download the library to your system, e.g. to C:\TEMP. Open a command shell and navigate to the directory where you placed the file in. Then you can use the Java bundled with QF-Test to run the detection tool like this:
# On Windows:
> "C:\Program Files\QFS\qftest\qftest-5.3.4jre\win64\bin\java.exe" -jar log4j-detector-2021.12.13.jar "C:\Program Files\QFS\qftest\"
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [C:\Program Files\QFS\qftest\]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)
# On Linux:
> /data/install/qftest/qftest-5.3.4/jre/linux64/bin/java -jar log4j-detector-2021.12.13.jar /data/install/qftest/
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/data/ins tall/qftest/qftest-branch]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)
# On macOS:
% /Applications/QF-Test.app/Contents/PlugIns/*.j*/Contents/Home/jre/bin/java -jar log4j-detector-2021.12.13.jar /Applications/QF-Test.app/Contents/Resources
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/Applications/QF-Test.app/Contents/Resources]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)
(In this example, default paths are used. Please adapt them to the requirements of your system.)
Verifying your own plug-ins
If your tests rely on external plugins not bundled and shipped with QF-Test you may want to make sure that these plugins are clean, too. From the QF-Test menu, open « Help->Info… » (on macOS « QF-Test->About QF-Test »), select the « System info » tab and follow the link to « dir.plugin ». In your shell, execute the command from above, but replace path in the last argument with the path for « dir.plugin », for example:
# On macOS:
% /Applications/QF-Test.app/Contents/PlugIns/*.j*/Contents/Home/jre/bin/java -jar log4j-detector-2021.12.13.jar "/Users/pascal/Library/Application Support/de.qfs.apps.qftest/plugin"