A new Java logging library vulnerability was reported and fixed this week, in a component called Logback. This vulnerability is similar in cause to that reported on Log4j, but less severe because it is much harder to exploit, requiring that an attacker has write access to the configuration file for Logback. Technical details are here: https://jira.qos.ch/browse/LOGBACK-1591

Diffblue Cover uses Logback for logging, but our application is signed which means an attack that tries to modify the configuration file to exploit the vulnerability will not work: the change will “break” the signature.

Diffblue Cover Reports also uses Logback, and is not signed – so an attacker who had compromised the system where Reports runs could feasibly modify the configuration file.

Here’s what we are doing:

  1. Upgrading to Logback 1.2.8, which does not contain the vulnerability
  2. Shipping upgraded versions of Cover and Cover reports: 2021.12.02 on Friday 17 December 2021.

Our recommended actions:

  • Upgrade to Diffblue Cover 2021.12.02 when released on Friday (both Cover and Cover Reports)
  • Review your own applications and update your dependencies to use a fixed version of Logback