Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

BurpSuite Enterprise Uses Log4j

Ranjith | Last updated: Apr 26, 2023 09:47PM UTC

Hi Support Team, I just wanted to ensure that log4j-core-2.14.1.jar installed by the Burpsuite enterprise web server is not vulnerable to RCE. I read in the forum that Burpsuite Enterprise does not consume log4J for writing web server/db logs. Please confirm if we can remove these libraries. Also, please ensure that unused vulnerable library versions are either removed or updated in your compiled executable version. You need to remove these libraries from the executable (exe) application. log4j-core-2.14.1.jar log4j-api-2.14.1.jar log4j-slf4j-impl-2.14.1.jar Path burpsuite_enterprise\webServer\2023.4-12640\lib\. Appreciate your support. Thanks

Maia, PortSwigger Agent | Last updated: Apr 27, 2023 02:12PM UTC

Thank you for your message. Our apologies. The log4j-core jar was included in the latest release by mistake. The library is a dependency of another library that is usually excluded. I can confirm that the jar is not used and Burp Suite Enterprise Edition is unaffected by the Log4j vulnerability. You can delete the file without impacting any functionality. You will need to restart the webserver service after deleting the file. We will be releasing a version without the log4j-core jar shortly. However, customers who have already updated to Burp Suite Enterprise Edition version 2023.4 will still need to delete the file manually. Please let me know if you have any questions.

Ranjith | Last updated: Apr 28, 2023 02:24AM UTC

There we go. Thanks. Much appreciated.

Casey | Last updated: Jul 05, 2023 07:56PM UTC

Has log4j been re-introduced into the product in the latest release of Version: 2023.6-12825? I see it now as a vulnerability when testing the burp scanner with vuln scanner and it is located in webserver directory of installation.

Maia, PortSwigger Agent | Last updated: Jul 06, 2023 11:51AM UTC