Log4J2 Vulnerability Does Not Affect Liquibase
On Friday, December 10th, news started breaking about a new 0-day exploit on the popular log4j2 Java logging library. This exploit can allow an attacker to remotely execute code on a server or workstation running an application with this library. This is a serious vulnerability, so our team immediately investigated if Liquibase includes this library in any code to ensure we could alert our users.
We confirmed that none of our editions or tools use the log4j2 library.
Liquibase took immediate action to inspect each Liquibase edition and tool (including all current versions and all previous versions) for evidence of this vulnerability. None were found. However, we did discover through our investigation that log4j2 is included in the Apache License 2.0 section of our README file in Liquibase Community & Liquibase Pro (v4.2.3) even though it is not actually used by the software. We will correct this in the next release of Liquibase.
Here’s the list of Liquibase editions and supporting tools that were evaluated for vulnerability:
- Liquibase Community (OSS edition) (all historical versions)
- Liquibase Pro (all supported versions)
- Liquibase Enterprise (all supported versions)
- Liquibase Business (all supported versions)
- Liquibase Data (all versions)
- Liquibase Hub (current production version)
- DMC (all supported versions)
Also, we’ve confirmed that Liquibase extensions use Liquibase editions for logging, so extensions are not affected.
Summing It Up
No Liquibase editions or versions are affected by the log4j2 vulnerability. If you are a Liquibase customer and you have any questions or concerns, please contact our support team. If you are one of our open source users and you have questions or concerns, please reach out to us via the Liquibase forum.
Automate BigQuery schema change and version control with database DevOps
Google's BigQuery is a fully managed, serverless cloud data warehouse, or database as a service (DBaaS), that brings unparalleled scalability and convenience to data analytics.
Ubuntu/Debian: A new & easier way to install Liquibase for Linux users
We're thrilled to announce a brand new installation method for Liquibase specifically designed for Ubuntu/Debian users. Say goodbye to the manual process of downloading the
SingleStore Liquibase Integration Unleashes the Power of Database Change Management
We're thrilled to announce our partnership with SingleStore, an industry leader in distributed SQL-based database management systems. Let’s explore the advantages of