• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Android Studio and Log4j

C

Chr999chr

Lurker
I am looking to install Android Studio in our classrooms but our network team are flagging up after a security sweep that it has a jar file with log4j 1.2 installed.

I have googled but I cannot find out how to up grade this imbedded log4j file to 2.17. I have read that 1.2 is not a security threat but it has not been updated since 2015 so our network team are saying it may have other issues.
Any ideas on how to get around this issue.
The log4j.jar file is included with a new installation of Android Studio.
 
Chr999chr said:
I am looking to install Android Studio in our classrooms but our network team are flagging up after a security sweep that it has a jar file with log4j 1.2 installed.

I have googled but I cannot find out how to up grade this imbedded log4j file to 2.17. I have read that 1.2 is not a security threat but it has not been updated since 2015 so our network team are saying it may have other issues.
Any ideas on how to get around this issue.
The log4j.jar file is included with a new installation of Android Studio.
Click to expand...
Log4j 1.2 is not vulnerable. Only versions 2.0 to 2.14.1 pose a security threat. Android Studio is based on JetBrains IntelliJ IDE. You can read about this on their official blog post on this matter.

https://blog.jetbrains.com/blog/2021/12/13/log4j-vulnerability-and-jetbrains-products-and-services/

A quote from their actions taken:
"All IntelliJ platform based IDEs – Not affected."
 
Is Android Studio 1.2 affected by these?

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
 
You must log in or register to reply here.
Back
Top Bottom