Hi all Is the vulnerable log4j library in use by Discourse - can an employee please issue a statement on potential exposure/review. Thanks

[imagen] Discourse and the Log4j vulnerability megaphoneAnnouncements On 9th December, CVE 2021-44228 was published for log4j, a commonly-used Java logging library. Subsequently, CVE-2021-45046 and CVE-2021-45105 have also been published. We’ve received a numbe…

Log4J is a Java library. Discourse is written in Ruby, not Java.

Thanks, so from the hosting side of things there is no Apache and log4j there?

Correct, a standard installation of Discourse doesn’t use Apache.

Note that any self-hosted or non-standard Discourse installs running on Apache httpd are not affected either. The Apache HTTP server project does not use the Apache Log4J library, they are both projects from the Apache foundation so they share a name, but that’s about it.

Should those of us who run Discourse instances with java-based plugins disable said plugins? (I’m definitely not a software engineer. That’s all Greek to me)

Discourse Plugins are written in Ruby (on Rails) and Javascript (with Ember), so I’m not sure which plugins you are referring too? NB Javascript and Java are not the same thing.

CVE-2021-44228 - log4j - ¿Discourse vulnerable?

Soporte Instalación

david (David Taylor) 20 Diciembre, 2021 09:28 8

Tema		Respuestas	Vistas
Discourse and the Log4j vulnerability Announcements security	1	1111	18 Marzo 2022
Where does Discourse store and show logs? Self-Hosting reference	8	25107	10 Diciembre 2025
Discourse Vulnerability CVE-2021-41163 Self-hosting	10	1514	30 Octubre 2021
LDAP Setup for Discourse Self-hosting discourse-ldap-auth	33	13195	15 Septiembre 2025
View logs for the WP Discourse plugin Administrators wordpress , how-to	0	2010	18 Mayo 2021

CVE-2021-44228 - log4j - ¿Discourse vulnerable?

Temas relacionados