Impact
There has been a published CVE security vulnerability noted in Ghidra dependencies within two log4j jar files. We strongly encourage anyone using versions of Ghidra < 10.1, old source builds, or old development branches to remediate this issue by following the below instructions.
Simply loading a binary with a crafted string that is passed to log4j for logging, such as a string that does not "demangle" correctly, can exercise the vulnerable path.
Upgrading Existing Installation
Patching Legacy Installation
If you are unable to upgrade to the latest Ghidra release, you can patch an existing legacy Ghidra installation by deleting:
<ghidra_install_dir>/Ghidra/Framework/Generic/lib/log4j-api-2.x.x.jar<ghidra_install_dir>/Ghidra/Framework/Generic/lib/log4j-core-2.x.x.jar
and replacing with log4j 2.17.1:
Finally, to ensure that the Ghidra Server finds the new jars, fix the paths of log4j-api and log4j-core in <ghidra_install_dir>/Ghidra/Features/GhidraServer/data/classpath.frag to reference version 2.17.1.
Patching Development Environment
If you are running Ghidra from the development environment, please pull the latest master branch
(or patch/stable if applicable), and execute the following to upgrade your repo to the newer
log4j:
$ gradle prepdev cleanEclipse eclipse
After the above command completes, refresh all of your Eclipse projects.
To confirm that Ghidra will be launched with the new log4j jars, confirm that they are referenced in build/libraryDependencies.txt under the Module: Generic section.
Other log4j CVE's
There are several other recent CVE's associated with log4j including:
The way Ghidra uses log4j does not make it vulnerable to these attacks. However, your version of Ghidra may contain a log4j jar referenced in these CVE's. It is always best practice to upgrade to the latest version of Ghidra to ensure you have a secure version of log4j on your filesystem.
References
The details of the vulnerability can be found here:
For more information
If you have any additional questions, comments, or concerns about this advisory and how it impacts Ghidra, please do not hesitate to open an issue in the Ghidra project's discussions or issues.
Impact
There has been a published CVE security vulnerability noted in Ghidra dependencies within two log4j jar files. We strongly encourage anyone using versions of Ghidra < 10.1, old source builds, or old development branches to remediate this issue by following the below instructions.
Simply loading a binary with a crafted string that is passed to log4j for logging, such as a string that does not "demangle" correctly, can exercise the vulnerable path.
Upgrading Existing Installation
Patching Legacy Installation
If you are unable to upgrade to the latest Ghidra release, you can patch an existing legacy Ghidra installation by deleting:
<ghidra_install_dir>/Ghidra/Framework/Generic/lib/log4j-api-2.x.x.jar<ghidra_install_dir>/Ghidra/Framework/Generic/lib/log4j-core-2.x.x.jarand replacing with log4j 2.17.1:
<ghidra_install_dir>/Ghidra/Framework/Generic/lib/log4j-api-2.17.1.jar<ghidra_install_dir>/Ghidra/Framework/Generic/lib/log4j-core-2.17.1.jarFinally, to ensure that the Ghidra Server finds the new jars, fix the paths of
log4j-apiandlog4j-corein<ghidra_install_dir>/Ghidra/Features/GhidraServer/data/classpath.fragto reference version 2.17.1.Patching Development Environment
If you are running Ghidra from the development environment, please pull the latest
masterbranch(or
patch/stableif applicable), and execute the following to upgrade your repo to the newerlog4j:
After the above command completes, refresh all of your Eclipse projects.
To confirm that Ghidra will be launched with the new log4j jars, confirm that they are referenced in
build/libraryDependencies.txtunder theModule: Genericsection.Other log4j CVE's
There are several other recent CVE's associated with log4j including:
The way Ghidra uses log4j does not make it vulnerable to these attacks. However, your version of Ghidra may contain a log4j jar referenced in these CVE's. It is always best practice to upgrade to the latest version of Ghidra to ensure you have a secure version of log4j on your filesystem.
References
The details of the vulnerability can be found here:
For more information
If you have any additional questions, comments, or concerns about this advisory and how it impacts Ghidra, please do not hesitate to open an issue in the Ghidra project's discussions or issues.