Log4j vulnerability, Plone not affected, but maybe other suppporting apps in your stack

Yesterday in the Steering Circle meeting we briefly discussed the recently published severe vulnerabilty in a java logging module called log4j. This module is used in many Java (web) applications.

@jensens already posted a tweet about this yesterday:

Because customers asked: @plone does not use any Java-tech vulnerable for the log4j RCE (CVE-2021-44228). Our stack is entirely based on #python.
Third party integrations (like with Solr, ElasticSearch) need to be checked, also complex deployments ...

So the Core Plone setup is not affected as it is written in Python and not Java. But you might use software written in Java for additional functionality in your Plone website.

  • One of those is better searching through the use of Solr or ElasticSearch. These are likely installed if you use collective.solr (Plone integration) and collective.recipe.solrinstance or kitconcept.recipe.solr to set up the local solr server. But it doesn't mean automatically affected as only solr versions >6 seem to use a version of the log4j module. And released versions of the buildout recipe default to the (very old but stable solr 4 versions). Another add'on that might use solr is alm.solrindex. And there is collective.elasticsearch.

  • Someone also mentionned logstash being affected, if you use any log aggregration tools with logstash -> elasticsearch to watch the zope/nginx/varnish/Volto-razzle server log output for example.

  • collective.documentviewer can use OpenOffice Server which is a Java application with possibly log4j.

  • ......

So the age old consultant answer 'it depends' applies here as well. Bottom line: check your versions and online documentation for the software you are using. The steering circle meeting came to the conclustion that we don't need to send out an announcement if the core distribution is not affected to not add more noise to the signal.

But if community members have more examples of java software they use to support their Plone website which is affecte by the log4j vulnerability, please mention them here in this thread. Sometimes it can be messy to remember exaclty all the software you run and it can serve as a check list to others.

@rioksane : Done!

[edit: typo's & request]