The recent announcement of CVE-2021-44228, which allows for "arbitrary code loaded from LDAP servers when message lookup substitution is enabled" through a vulnerability in Log4j has many people double checking the dependencies of their Java applications.
CleanSpeak is not affected
CleanSpeak is not affected by this vulnerability in Log4j. CleanSpeak uses a different logging framework, Logback, so there is no way that any CleanSpeak applications could be compromised.
Log4j is a popular logging framework and is used in many Java projects, both open source and commercial. When a CVE like this comes out, it makes sense to check all of your applications for the issue. Security is important to us and we understand why customers and users would reach out about this.
In conclusion, CleanSpeak is not affected by the Log4j vulnerability.
To learn more about the CVE, you can:
- visit the NIST CVE description
- review a detailed report about the vulnerability
- participate in the HackerNews discussion
- read a message from the Logback maintainers about this issue
What about Elasticsearch
Elasticsearch is used by CleanSpeak installations. However, in general the Elasticsearch service is not publicly accessible, if following the recommended security guidance.
Per the Elasticsearch documentation:
Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch on JDK8 or below is susceptible to an information leak via DNS which is fixed by a simple JVM property change.
There is no vulnerability if you are running in CleanSpeak Cloud. Deployments there do not allow external access to the Elasticsearch servers. If you need specific version information, please open a support ticket.
If you are self-hosting CleanSpeak, please review the Elasticsearch guidance and your Elasticsearch and Java configurations to ensure you aren't vulnerable.