On 9th December, CVE 2021-44228 was published for log4j, a commonly-used Java logging library. Subsequently, CVE-2021-45046 and CVE-2021-45105 have also been published. We’ve received a number of questions about these vulnerabilities, and whether they affect Discourse.
Discourse is a Ruby application, and therefore does not make any use of this Java library. In addition, our standard installation instructions for self-hosted installations do not include any Java components.
Managed discourse.org hosting
As part of our managed discourse.org hosting service, we use a handful of Java-based applications including Jenkins, Elasticsearch, Logstash, and Kibana. As soon as we became aware of the vulnerability, we checked all of those components against the advisories from their developers.
We conducted a full security assessment following the report.
- Audit of current running software which may be impacted by the log4j vulnerability
- Audit of impact of potential flaw
- Log analysis
Our versions of Jenkins, Elasticsearch and Kibana were unaffected by the vulnerability. Our version of Logstash may have been vulnerable to Denial of Service attacks under specific conditions, but was not vulnerable to the widely-reported Remote Code Execution vulnerability.
All these components have been updated to their latest versions and are now running the latest version of Log4j (2.17). For more information, you can read the security advisory from Elastic, and the blog post from Jenkins.
Information is evolving fast. We are following the news and will update further if deemed necessary.
We also validated the state of log4j remediation on our sensitive vendors. Here are some of the public notices our vendors made.
- Stripe - Update for Apache Log4j vulnerability
- Google Cloud - Apache Log4j 2 Vulnerability
- AWS - Update for Apache Log4j2 Issue
Some vendors were contacted privately.