A vulnerability has been found in Log4j which can result in Remote Code Execution (RCE): CVE-2021-44228 also known as Log4Shell.
ZAP 2.11.0 and the previous weekly and dev versions of ZAP use Log4j 2.14.1 which is known to be vulnerable. There may well be ways to abuse ZAP versions <=2.11.0 that we have not yet discovered or anticipated, please upgrade at your earliest opportunity.
ZAP 2.11.1 has been released. This upgrades to use a non-vulnerable version of the Log4J library.
We strongly recommend that all users upgrade to this release ASAP.
All of the packages maintained by the core team have been updated and we have notified all of the 3rd Party Package Maintainers that we are aware of.
Updated Advice for Older Versions
First the good news - ZAP does not typically log strings that could be used to exploit this vulnerability out of the box, so the exposure to this vulnerability should be limited.
If you have not changed the default ZAP Log4j settings and have not exposed the ZAP API to untrusted addresses (which we do not advise) then at this stage we believe that you will not be vulnerable.
In particular if you are running ZAP in a container like Docker and have not exposed the ZAP API outside of the container then you should be fine.
If you cannot update to 2.11.1 right now then we do recommend that you:
- Do not expose the ZAP API to untrusted addresses
- Do not run ZAP with debug logging on, unless you are only testing trusted websites
- Turn logging off, just to be safe
To turn ZAP logging off see the FAQ: How do you configure ZAP logging? and change all logging levels to “off” e.g.
rootLogger.level = off logger.paros.level = off logger.zap.level = off