log4j security issue

[srkunze]

Just one question regarding the vulnerability of log4j. Is RocketChat affected?

[debdutdeb]

Hi, we don't have any dependencies on log4j, thus we shouldn't be affected.

I'll confirm with our engineering team. Closing this since not a bug.

[Philipp3211]

@debdutdeb Has the engineering team confirmed, that you are not affected?

[debdutdeb]

Yes @Philipp3211 :)

[derspotter]

I think this is incorrect. With sudo find / -name "log4j*" I found .../app/bundle/programs/server/npm/node_modules/moleculer/src/loggers/log4js.js I believe this is in rocket.chat or am I mistaken?

[gronke]

From https://github.com/log4js-node/log4js-node/blob/master/README.md

Although it's got a similar name to the Java library log4j, thinking that it will behave the same way will only bring you sorrow and confusion.

[derspotter]

From https://github.com/log4js-node/log4js-node/blob/master/README.md

Although it's got a similar name to the Java library log4j, thinking that it will behave the same way will only bring you sorrow and confusion.

So log4js is not affected? I am relieved. Thank you for the fast answer.

[fdellwing]

This is a Java specific bug, the same library in any other language will not have this problem.