Navigation

Decidim is not affected by the Log4j vulnerability (CVE- 2021-44228)

Security researchers recently found out an extremely critical level vulnerability in the Log4j Java library. This vulnerability was publicly announced on 10th December 2021 as CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) and affects the web widely.

Decidim itself is not affected by this vulnerability because Decidim is written in the Ruby programming language, not Java. This vulnerability concerns applications programmed in the Java programming language that include a vulnerable version of the Log4j library.

Some Decidim administrators may prefer to run Decidim behind the Apache HTTP server (httpd). Apache HTTP server (httpd) is not affected by the Log4j vulnerability as it is not a Java application. Apache is a software vendor who provides many different software tools and libraries, Log4j being one of them and not related to the HTTP server.

Nevertheless, we encourage everyone to investigate with the utmost priority any possible Java software installed on their Decidim servers or related services attached to Decidim, such as organizational single sign-on (SSO) services integrated with Decidim.

Please be ensured that the Decidim team and the community around it consider security extremely seriously and continue to ensure Decidim stays secure as their highest possible priority. We strive to ensure Decidim users are safe as data confidentiality is one of the leading principles of Decidim’s Social Contract (https://docs.decidim.org/en/understand/social-contract/).

You can find tools that may be used to scan whether your server contains software vulnerable to CVE- 2021-44228 from: https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md

A constantly updating list of software that is known to be vulnerable or has been identified as not vulnerable: https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

In order to identify potential exploitation attempts or scans from your server logs, you may use the following commands:

sudo egrep -I -i -r '$({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop| corba|nds|http):/[^\n]+' /var/log sudo find /var/log -name *.gz -print0 | xargs -0 zgrep -E -i '\ $({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n] +'

More information about these commands available at: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b