CVE-2021-44228 - log4j - Discourse vulnerable?

a.harper · December 11, 2021, 1:18pm

Hi all

Is the vulnerable log4j library in use by Discourse - can an employee please issue a statement on potential exposure/review.

Thanks

Falco · December 11, 2021, 2:26pm

Log4J is a Java library. Discourse is written in Ruby, not Java.

a.harper · December 11, 2021, 3:08pm

Thanks, so from the hosting side of things there is no Apache and log4j there?

david · December 11, 2021, 3:26pm

Correct, a standard installation of Discourse doesn’t use Apache.

RGJ · December 11, 2021, 5:07pm

Note that any self-hosted or non-standard Discourse installs running on Apache httpd are not affected either.

The Apache HTTP server project does not use the Apache Log4J library, they are both projects from the Apache foundation so they share a name, but that’s about it.

VirgilVulpes · December 16, 2021, 9:50pm

Should those of us who run Discourse instances with java-based plugins disable said plugins?
(I’m definitely not a software engineer. That’s all Greek to me)

merefield · December 16, 2021, 9:52pm

Discourse Plugins are written in Ruby (on Rails) and Javascript (with Ember), so I’m not sure which plugins you are referring too?

NB Javascript and Java are not the same thing.

david · December 20, 2021, 9:28am

Topic		Replies	Views
Discourse and the Log4j vulnerability Announcements security	1	1075	March 18, 2022
How to run Discourse as an Apache VirtualHost Installation	5	2527	August 5, 2020
How to run Discourse in Apache vhost, not Nginx Installation unsupported-install	30	2266	August 14, 2023
Apache w/ SSL + Discourse: Next steps? Installation	12	1593	August 1, 2020
Wanting to run Discourse alongside apache Installation	13	1912	September 7, 2019

CVE-2021-44228 - log4j - Discourse vulnerable?

Related topics