Log4J2 Vulnerability Does Not Affect Liquibase

On Friday, December 10th, news started breaking about a new 0-day exploit on the popular log4j2 Java logging library. This exploit can allow an attacker to remotely execute code on a server or workstation running an application with this library. This is a serious vulnerability, so our team immediately investigated if Liquibase includes this library in any code to ensure we could alert our users. 

We confirmed that none of our editions or tools use the log4j2 library.

Liquibase took immediate action to inspect each Liquibase edition and tool (including all current versions and all previous versions) for evidence of this vulnerability. None were found. However, we did discover through our investigation that log4j2 is included in the Apache License 2.0 section of our README file in Liquibase Community & Liquibase Pro (v4.2.3) even though it is not actually used by the software. We will correct this in the next release of Liquibase.

Here's the list of Liquibase editions and supporting tools that were evaluated for vulnerability:

• Liquibase Community (OSS edition) (all historical versions)
• Liquibase Pro (all supported versions)
• Liquibase Enterprise (all supported versions)
• Liquibase Business (all supported versions)
• Liquibase Data (all versions)
• Liquibase Hub (current production version)
• DMC (all supported versions)

Also, we’ve confirmed that Liquibase extensions use Liquibase editions for logging, so extensions are not affected.

Summing It Up

No Liquibase editions or versions are affected by the log4j2 vulnerability. If you are a Liquibase customer and you have any questions or concerns, please contact our support team. If you are one of our open source users and you have questions or concerns, please reach out to us via the Liquibase forum.