Burp Suite User Forum

Login to post

BurpSuite Enterprise Uses Log4j

Ranjith | Last updated: Apr 26, 2023 09:47PM UTC

Hi Support Team, I just wanted to ensure that log4j-core-2.14.1.jar installed by the Burpsuite enterprise web server is not vulnerable to RCE. I read in the forum that Burpsuite Enterprise does not consume log4J for writing web server/db logs. Please confirm if we can remove these libraries. Also, please ensure that unused vulnerable library versions are either removed or updated in your compiled executable version. You need to remove these libraries from the executable (exe) application. log4j-core-2.14.1.jar log4j-api-2.14.1.jar log4j-slf4j-impl-2.14.1.jar Path burpsuite_enterprise\webServer\2023.4-12640\lib\. Appreciate your support. Thanks

Maia, PortSwigger Agent | Last updated: Apr 27, 2023 02:12PM UTC

Thank you for your message. Our apologies. The log4j-core jar was included in the latest release by mistake. The library is a dependency of another library that is usually excluded. I can confirm that the jar is not used and Burp Suite Enterprise Edition is unaffected by the Log4j vulnerability. You can delete the file without impacting any functionality. You will need to restart the webserver service after deleting the file. We will be releasing a version without the log4j-core jar shortly. However, customers who have already updated to Burp Suite Enterprise Edition version 2023.4 will still need to delete the file manually. Please let me know if you have any questions.

Ranjith | Last updated: Apr 28, 2023 02:24AM UTC

There we go. Thanks. Much appreciated.

Casey | Last updated: Jul 05, 2023 07:56PM UTC

Has log4j been re-introduced into the product in the latest release of Version: 2023.6-12825? I see it now as a vulnerability when testing the burp scanner with vuln scanner and it is located in webserver directory of installation.

Maia, PortSwigger Agent | Last updated: Jul 06, 2023 11:51AM UTC

We are extremely sorry for this mistake. We had put measures in place to prevent this from happening again, but unfortunately, these measures failed when log4j was included as a dependency to a different library. We will be excluding this vulnerable library from all of our dependencies and review our processes further to avoid this issue in the future. The log4j library is not used, and the file can be deleted. I can again confirm that Burp Suite Enterprise Edition is not affected by the Log4j vulnerability.

You need to Log in to post a reply. Or register here, for free.