Last week a new zero-day vulnerability in the widely-used Java component Log4j was reported which allows remote code execution. This week exploit code has been detected scanning for Internet-connected servers running Java code that is affected, which has been assigned CVE-2021-44228 (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)
Diffblue Cover does not use the log4j component and so is not affected by this vulnerability.
Diffblue Cover runs your Java code to write tests, but it does so within a security sandbox that blocks network traffic. So for the highest level of security, we recommend that if your code uses Log4j you DO NOT use the –disable-security-policy option on Cover.
Diffblue Cover Reports does not use log4j, but it is included because it’s a dependency of the Spring Boot framework. While we do not believe Reports is vulnerable because Log4j is never called, we are updating Reports to exclude Log4j and will post new releases.
UPDATE: Diffblue confirms that we are unaffected by all 3 of the Log4j vulnerabilities that have been found in the last 10 days. For further information on each of the Log4j vulnerabilities, please see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
