Is cerebro impacted by CVE-2021-44228 (Apache Log4j)?

lmenezes / cerebro-docker

official cerebro docker image

118 stars 40 forks source link

Is cerebro impacted by CVE-2021-44228 (Apache Log4j)? #16

Open SnDsound opened 2 years ago

SnDsound commented 2 years ago

Hi,

Is cerebro impacted by CVE-2021-44228 (Apache Log4j) vulnerability? Is a possibility to pass "-Dlog4j2.formatMsgNoLookups=true" for java by environment variable in docker compose?

Regards, Peter

t-braune commented 2 years ago

Hey Peter,

i am not a contributor nor a java developer, here is what my research come out with:

Nothing with log4j in the repo (usually you would have some log4j configuration flying around): https://github.com/lmenezes/cerebro/search?q=log4j
It makes use of logback fileAppender (which is not using log4j): https://github.com/lmenezes/cerebro/blob/main/conf/logback.xml#L5

I would say there is nothing to concern about but i am not a security expert.

Regards, Tobi

sebastien-helbert commented 1 year ago

Hey Peter,

i am not a contributor nor a java developer, here is what my research come out with:

Nothing with log4j in the repo (usually you would have some log4j configuration flying around): https://github.com/lmenezes/cerebro/search?q=log4j

It makes use of logback fileAppender (which is not using log4j): https://github.com/lmenezes/cerebro/blob/main/conf/logback.xml#L5

I would say there is nothing to concern about but i am not a security expert.

Regards, Tobi

I confirm, this PR can be closed