No Log4j Vulnerability in QF-Test

Last update: 2022-05-19

QF-Test and the QF-Test license server are not vulnerable to Log4shell attack CVE-2021-44228

In the last days, a vulnerability in the popular open source library log4j has been reported, nick-named Log4shell. QF-Test is not (and has not) been vulnerable to this attack, for a number of reasons:

1. QF-Test does not directly use log4j, but has always used its own logging system which does not allow any string interpretation or code evaluation.
2. The JREs bundled with QF-Test - Oracle JDK and OpenJDK - have shipped with a default setting that should prevent exploitation since Oracle JRE 8u121 in 2019, the variable com.sun.jndi.rmi.object.trustURLCodebase is set to false or null by default, disallowing access to remote resources, and it is not changed by QF-Test. Our software currently ships with JRE 8u292.
3. Normally QF-Test is not executed in a server mode, so intruders cannot inject any string with malicious content. But also in daemon or license server mode QF-Test does not require any log4j classes.
4. None of the third-party libraries shipped with QF-Test contain log4j in any version vulnerable to the log4shell attack^*. This has been verified by us as described below for all current and past official QF-Test versions back to QF-Test 3.4.11 which predates the first vulnerable log4j version 2.0beta9.

^*) The log4j classes, which were embedded in the bundled version of the external ui-automation library before QF-Test 6.0.0 are known to not be vulnerable to the CVE-2021-44228 attack.

How to verify yourself that no vulnerable version of log4j is in use

To verify that no vulnerable version of log4j is bundled with QF-Test, you can use the Log4j detector tool. First, download the library to your system, e.g. to C:\TEMP. Open a command shell and navigate to the directory where you placed the file in. Then you can use the Java bundled with QF-Test to run the detection tool like this:

# On Windows:
> "C:\Program Files\QFS\qftest\qftest-5.3.4jre\win64\bin\java.exe" -jar log4j-detector-2021.12.13.jar "C:\Program Files\QFS\qftest\"
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [C:\Program Files\QFS\qftest\]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 !  :-)

# On Linux:
> /data/install/qftest/qftest-5.3.4/jre/linux64/bin/java -jar log4j-detector-2021.12.13.jar /data/install/qftest/
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/data/ins tall/qftest/qftest-branch]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 !  :-)

# On macOS:
% /Applications/QF-Test.app/Contents/PlugIns/*.j*/Contents/Home/jre/bin/java -jar log4j-detector-2021.12.13.jar /Applications/QF-Test.app/Contents/Resources
-- Analyzing paths (could take a long time).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
-- No vulnerable Log4J 2.x samples found in supplied paths: [/Applications/QF-Test.app/Contents/Resources]
-- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 !  :-)

(In this example, default paths are used. Please adapt them to the requirements of your system.)

Verifying your own plug-ins

If your tests rely on external plugins not bundled and shipped with QF-Test you may want to make sure that these plugins are clean, too. From the QF-Test menu, open "Help->Info..." (on macOS "QF-Test->About QF-Test"), select the "System info" tab and follow the link to "dir.plugin". In your shell, execute the command from above, but replace path in the last argument with the path for "dir.plugin", for example:

# On macOS:
% /Applications/QF-Test.app/Contents/PlugIns/*.j*/Contents/Home/jre/bin/java -jar log4j-detector-2021.12.13.jar "/Users/pascal/Library/Application Support/de.qfs.apps.qftest/plugin"