{"id":417033,"date":"2021-12-17T11:57:37","date_gmt":"2021-12-17T10:57:37","guid":{"rendered":"https:\/\/glpi-project.org\/?p=415963"},"modified":"2025-06-16T13:22:35","modified_gmt":"2025-06-16T12:22:35","slug":"glpi-is-not-affected-by-the-log4j-vulnerability-cve-2021-44228","status":"publish","type":"post","link":"https:\/\/www.glpi-project.org\/en\/glpi-is-not-affected-by-the-log4j-vulnerability-cve-2021-44228\/","title":{"rendered":"GLPI is NOT affected by the Log4j vulnerability CVE-2021-44228"},"content":{"rendered":"<p>A newly revealed <strong>critical<\/strong> vulnerability impacting Apache Log4j was disclosed and registered as <a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-44228\" target=\"_blank\" rel=\"noopener\">CVE-2021-44228<\/a> with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By exploiting this vulnerability, a remote attacker could take control of the affected system.<\/p>\n<blockquote>\n<p>We would like to assure all users that GLPI core and its plugins, <strong>being written in PHP<\/strong> and not using Log4j, <strong>are not affected by the Log4Shell vulnerability<\/strong>.<\/p>\n<\/blockquote>\n<p>Exploiting this vulnerability requires a Java Virtual Machine and the org.apache.logging.log4j.core.lookup.JndiLookup Java class in a vulnerable version. None of them are included or used in GLPI distributions.<\/p>\n<p><strong>We can also confirm that:<\/strong><\/p>\n<p>\u00a0<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/glpi-project\/android-inventory-agent\" target=\"_blank\" rel=\"noopener\">GLPI Android Agent<\/a><\/strong> (writen in Java), doesn't use Log4j library, and thus <strong>is not affected by the Log4Shell vulnerability<\/strong><\/li>\n<li><strong><a href=\"https:\/\/github.com\/glpi-project\/glpi-agent\" target=\"_blank\" rel=\"noopener\">GLPI Agent<\/a><\/strong> (writen in Perl), <strong>is not affected by the Log4Shell vulnerability<\/strong><\/li>\n<\/ul>\n<p><strong>Warning:<\/strong> this does not prevent layers\/tools potentially upstream of GLPI (reverse-proxy, firewall, etc.), or connected to GLPI, which we are not aware of in your context, from being potentially impacted.<\/p>\n<p>For example, if you have a Metabase server connected to GLPI you should note that <a href=\"https:\/\/github.com\/metabase\/metabase\/releases\/tag\/v0.41.4\" target=\"_blank\" rel=\"noopener\">Metabase (&lt;0.41.4)<\/a> is affected by Log4j vulnerability, and you should update it ASAP!<\/p>\n<p class=\"part\" data-startline=\"17\" data-endline=\"17\">Documentation:<\/p>\n<ul class=\"part\" data-startline=\"18\" data-endline=\"21\">\n<li class=\"\" data-startline=\"18\" data-endline=\"18\"><a href=\"https:\/\/github.com\/advisories\/GHSA-jfh8-c2jp-5v3q\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/advisories\/GHSA-jfh8-c2jp-5v3q<\/a><\/li>\n<li class=\"\" data-startline=\"19\" data-endline=\"19\"><a href=\"https:\/\/github.com\/NCSC-NL\/log4shell\/tree\/main\/software\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/NCSC-NL\/log4shell\/tree\/main\/software<\/a><\/li>\n<li class=\"\" data-startline=\"20\" data-endline=\"21\"><a href=\"https:\/\/www.cert.ssi.gouv.fr\/alerte\/CERTFR-2021-ALE-022\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.cert.ssi.gouv.fr\/alerte\/CERTFR-2021-ALE-022\/<\/a><\/li>\n<\/ul>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A newly revealed critical vulnerability impacting Apache Log4j was disclosed and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By exploiting this vulnerability, a remote attacker could take control of the affected system. We would like to assure all users [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[157],"tags":[],"class_list":["post-417033","post","type-post","status-publish","format-standard","hentry","category-communaute"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/posts\/417033","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/comments?post=417033"}],"version-history":[{"count":1,"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/posts\/417033\/revisions"}],"predecessor-version":[{"id":436408,"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/posts\/417033\/revisions\/436408"}],"wp:attachment":[{"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/media?parent=417033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/categories?post=417033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.glpi-project.org\/en\/wp-json\/wp\/v2\/tags?post=417033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}