Monday, December 13, 2021

Vulnerability in the log4j library

A few days ago, a serious vulnerability in a popular Java logging library, log4j, was discovered. See CVE-2021-44228 for details.

Orbeon Forms uses the log4j library and therefore we have reviewed the issue. Luckily in this case, since Orbeon Forms use an older (version 1) of the library, it is not likely to be a target of this particular attack because that older version does not support so-called lookups (see this discussion by the authors of the library).

However, if you use the JMS appender in your log4j.xml configuration you might still be subject to some attacks. By default, the Orbeon Forms log4j.xml configuration does not include a JMS appender.

Therefore we recommend that all Orbeon Forms users check their log4j.xml configuration and make sure that they are not using any appenders that use networking features, including JMS and SocketServer. If your configuration logs to one or more files, as is the default, you are safe.

In the meanwhile, we are also working on migrating to a newer logging library such as log4j 2 (which has now addressed this vulnerability) or another library.

No comments:

Post a Comment