3

We are using Drools for our business rules. Is Drools impacted/expose to the CVE-2021-44228 (Log4Shell or Log4J/Apache/Java vulnerability

Stephen
  • 33
  • 2

2 Answers2

9

The whole KIE ecosystem (Kogito, Drools, OptaPlanner and jBPM) moved to SLF4J, a different logging facade with Logback as default implementation, a few years ago and it is therefore not vulnerable by CVE-2021-44228. Accordingly, our recommendation is to ensure your applications are updated to the latest community versions (at the time of writing, Drools, jBPM, KIE Workbench/Business Central and KIE Server 7.62.0.Final, Kogito 1.14.1.Final, Optaplanner 8.14.0.Final).

from this blog post.

We invite you to keep monitoring the blog post, in the case there might be in the future any further findings.

tarilabs
  • 2,178
  • 2
  • 15
  • 23
  • There's a lot of people on older versions of Drools, though. We're still fielding questions about Drools 3-6 here on StackOverflow. I don't see any indication on that blog post about what versions of Drools still _are_ vulnerable. If someone's on Drools 5, which doesn't use Kie, are they vulnerable? What about 6.0, which does use Kie but is very old? Upgrading from 5.x and lower to "latest" is a rewrite, not a trivial version bump, so just saying "we recommend upgrading to the latest" isn't really something you want to try to do unless you _have_ to. – Roddy of the Frozen Peas Dec 14 '21 at 15:33
  • @RoddyoftheFrozenPeas Drools 6.1 is 7 years old so: 1. if you didn't upgrade your dependencies in the latest 7 years very likely you have far more serious security problem; 2. the log4j vulnerability has been introduced much more recently so if you use a 7+ years version of Drools for sure you don't suffer of it. – Mario Fusco Dec 14 '21 at 16:34
  • Well sure that was just an example. I just don't know when the cutoff is for the switch to logback in Drools and if it was before or after the introduction of the problematic code in log4j2. When I used Drools for work, it was a highly regulated field and we couldn't "just update" anything, so it wasn't unusual to spend an inordinate amount of time on a particular release. (I think they spent 2 years on 7.22 for no reason other than it took that long for the upgrade to be approved, tested, certified, etc.) – Roddy of the Frozen Peas Dec 14 '21 at 17:06
0

Looks like its not the case. In this thread you can find all apps impacted : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

alain.janinm
  • 19,951
  • 10
  • 65
  • 112