Burp Suite User Forum

Login to post

Are Burp Collaborator or Burp Enterprise vulnerable to Log4j

Ken | Last updated: Dec 11, 2021 08:38PM UTC

Hi, As Burp Collaborator or Burp Enterprise are Java based and aren't bundled with the latest version of java they may be vulnerable to Log4j issues. Are you able to confirm whether they are or not? Thanks!

Tobias | Last updated: Dec 13, 2021 11:42AM UTC

A statement on this would be quite good

Muhammad | Last updated: Dec 13, 2021 03:15PM UTC

Can you please confirm if BurpeSuite products are vulnerable to Log4j2?

Alex, PortSwigger Agent | Last updated: Dec 13, 2021 03:33PM UTC

Hi, Thanks for your post In regards to Burp Suite Enterprise, we utilize a custom-built JDK, and I can confirm we don’t use Log4j for logging. It is still included as a transitive dependency, so as a precautionary measure, we are in the process of excluding the core library from the dependencies altogether. We will be releasing this fix imminently, but I would be happy to confirm by updating this thread once complete. Burp Suite Professional and the Collaborator server are not affected by the Log4j vulnerability. There are some extensions that do use Log4j, so we would recommend reviewing any extensions you are currently using. You can find the source code for any BApp Store extensions here: https://github.com/PortSwigger Thanks

Muhammad | Last updated: Dec 13, 2021 05:28PM UTC

Can you please check if any of these extensions use Log4j? It would be better if you could please let us know which extensions use Log4j rather then checking each and everyone. And if they do, shouldn't you disable those extensions? Retire.Js Auth Analyzer Software Version Reporter JSON Web Tokens Anonymous Cloud, Configuration and Subdomain Takeover Scanner XSS Validator.

Alex, PortSwigger Agent | Last updated: Dec 14, 2021 10:09AM UTC

Hi, We are currently in the process of reviewing all Burp Extensions that may be affected and will be contacting the BApp authors with remediation steps and a timeframe for fixes. Please note that extensions are written by third-party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose. Thanks

Alex, PortSwigger Agent | Last updated: Dec 15, 2021 09:51AM UTC

Hi,

Just as an update - we have released Enterprise v2021.12.1 which removes the library dependency as a precautionary measure.

You can review the release notes here.

Thanks

Sven | Last updated: Jan 03, 2022 10:03AM UTC

Hi Alex, any update on this? Tbh, I am a bit puzzled to see that every user should review the extension on their own when you already have a list of potential vulnerable extensions. Could you maybe bring that discussion up internally again and updates us? Thanks Sven

Alex, PortSwigger Agent | Last updated: Jan 04, 2022 03:08PM UTC

Hi Sven, Auditing of the extensions is still ongoing, but I can confirm the following extensions are yet to be updated: AWS Sigv4 NoPE proxy Crypto Messages Handler Image Metadata Attack Surface Detector XChromeLogger decoder EsPReSSO ThreadFix Retire.js Burp CSJ Reissue Request Scripter Wsdler Thanks

Chen, | Last updated: Jan 10, 2022 04:21PM UTC

Hello Alex Will there be log4j update to Burp Professional? The latest version is v2021.10.3. Thank you

Alex, PortSwigger Agent | Last updated: Jan 10, 2022 06:10PM UTC

Hi Jennifer,

Burp Suite Professional and the Collaborator server are not affected by the Log4j vulnerability.

If you are referring to active scan checks using Burp Suite Professional to find Log4j vulnerabilities, we are recommending the use of the Log4Shell Scanner extension.

Thanks

You need to Log in to post a reply. Or register here, for free.