Discourse and the Log4j vulnerability

On 9th December, CVE 2021-44228 was published for log4j, a commonly-used Java logging library. Subsequently, CVE-2021-45046 and CVE-2021-45105 have also been published. We’ve received a number of questions about these vulnerabilities, and whether they affect Discourse.

Discourse is a Ruby application, and therefore does not make any use of this Java library. In addition, our standard installation instructions for self-hosted installations do not include any Java components.

Managed discourse.org hosting

As part of our managed discourse.org hosting service, we use a handful of Java-based applications including Jenkins, Elasticsearch, Logstash, and Kibana. As soon as we became aware of the vulnerability, we checked all of those components against the advisories from their developers.

We conducted a full security assessment following the report.

  • Audit of current running software which may be impacted by the log4j vulnerability
  • Audit of impact of potential flaw
  • Log analysis

Our versions of Jenkins, Elasticsearch and Kibana were unaffected by the vulnerability. Our version of Logstash may have been vulnerable to Denial of Service attacks under specific conditions, but was not vulnerable to the widely-reported Remote Code Execution vulnerability.

All these components have been updated to their latest versions and are now running the latest version of Log4j (2.17). For more information, you can read the security advisory from Elastic, and the blog post from Jenkins.

Information is evolving fast. We are following the news and will update further if deemed necessary.

We also validated the state of log4j remediation on our sensitive vendors. Here are some of the public notices our vendors made.

Some vendors were contacted privately.


Note, for some reason this topic dropped off the index on Google, doing a quick test here to see if adding a reply gets it crawled and added to the index.