CVE-2021-44228 - log4j - Discourse vulnerable?

Hi all

Is the vulnerable log4j library in use by Discourse - can an employee please issue a statement on potential exposure/review.

Thanks

6 Likes

Log4J is a Java library. Discourse is written in Ruby, not Java.

14 Likes

Thanks, so from the hosting side of things there is no Apache and log4j there?

4 Likes

Correct, a standard installation of Discourse doesn’t use Apache.

11 Likes

Note that any self-hosted or non-standard Discourse installs running on Apache httpd are not affected either.

The Apache HTTP server project does not use the Apache Log4J library, they are both projects from the Apache foundation so they share a name, but that’s about it.

14 Likes

Should those of us who run Discourse instances with java-based plugins disable said plugins?
(I’m definitely not a software engineer. That’s all Greek to me)

Discourse Plugins are written in Ruby (on Rails) and Javascript (with Ember), so I’m not sure which plugins you are referring too?

NB Javascript and Java are not the same thing.

7 Likes
3 Likes