search

dgtlmoon / changedetection.io

The best and simplest free open source web page change detection, website watcher, restock monitor and notification service. Restock Monitor, change detection. Designed for simplicity - Simply monitor which websites had a text change for free. Free Open source web page change detection, Website defacement monitoring, Price change notification
https://changedetection.io
Apache License 2.0
16.95k stars 947 forks source link

Is changedetection.io vulnerable to Log4j (CVE-2021-44228)? #311

Closed TheSamDickey closed 2 years ago

TheSamDickey commented 2 years ago

Because this is a public facing service I host, I would like to know if it uses Log4j in any way. If it does, has it been patched appropriately?

I was looking through a thread about whether Nextcloud has a Log4j vulnerability, and many people laughed at the question. Because Nextcloud uses PHP, people thought it was safe. As it turns out, the default version of Apache the official Nextcloud Docker image uses is actually vulnerable.

I know this isn't a typical bug report, but this truly is 'the sky is falling' security risk. I'm taking as many precautions as possible and am leaving no stone unturned.

dgtlmoon commented 2 years ago

Feels like the media is manipulating you into a stress induced coma

I was looking through a thread about whether Nextcloud has a Log4j vulnerability

  1. https://help.nextcloud.com/t/apache-log4j-does-not-affect-nextcloud/129244
  2. It's really getting boring when someone says "I read somewhere" but does not include a link

no log4js here, cant vouch for your hosting environment tho ofcourse