A few of you may be aware of the Log4j vulnerability that has been discussed over the last few days and are worried about this impacting the servers that your CiviCRM and website are hosted on.
Well the short answer is, don't worry, your server isn't affected!
The long answer
When you hear the word Apache, you might think it means Apache servers which we do use. However the vulnerability is within Apache Java Logging, which isn't in use on our servers. We have a combination of CPanel and NGINX servers. Neither of which, in a standard set-up, use the Java Library so they are not vulnerable to this exploit. Some plug-ins on CPanel do use the library, however none of them are installed on any of our servers.
As always, with Information Security, this is a fast changing environment and it is a race between the hackers to exploit issues and the developers to mitigate the risks of those exploitations.
As Professor Moody would say... Constant Vigilance!
(Harry Potter Quotes in a security article?)
If you want to read more about the Log4j vulnerability check out this article in Wired
One of the benefits of using Open Source Software is that there are many eyes on issues like this. So there is more chance of someone finding a vulnerability and allowing the community to release fixes to resolve them. Unlike closed software where you are relying on fixes to be managed by their development team.
Written by Bari Pollard