WeBWorK Main Forum

log4j vulnerability

log4j vulnerability

by John Berry -
Number of replies: 6
Are any versions of WeBWorK affected by the recent and critical Apache Log4j2 vulnerability?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
In reply to John Berry

Re: log4j vulnerability

by Alex Jordan -

FWIW, my institution's IT team says we are clear with our installation. This follows scans from FireEye and consultation with InfoSec.

Of course this is a server that is dedicated to WeBWorK and has nothing else running on it.

In reply to John Berry

Re: log4j vulnerability

by John Berry -
I found the following file within our installation of version 2.15:

/home/wwadmin/org/apache/commons/logging/impl/Log4JLogger.class

I suspect that these are WeBWorK components based on Apache Commons Logging that can leverage Log4J, not directly Log4J software.
In reply to John Berry

Re: log4j vulnerability

by Jim Beers -

Is there any formal support for WeBWorK?   Someone we can submit an email to with this question?

It would be great for the creators/maintainers of WeBWorK to make some sort of statement, even if it's just 'we are still trying to determine if WeBWorK is vulnerable'.

Tags:
In reply to Jim Beers

Re: log4j vulnerability

by Glenn Rice -

WeBWorK does not directly use LDAP or JNDI, and so technically speaking WeBWorK is not affected by this vulnerability. 

The question is if your apache server installation is vulnerable.  If your server is using Ubuntu check to see if you have the package liblog4j2-java installed.  If not, then you have nothing to worry about.  You shouldn't have that unless you are using it for something.  WeBWorK doesn't use it or need it.  If you have it installed, then remove it if you don't need it.  If you need it, then see if you can upgrade to version 2.15.0 (which fixes the vulnerability).  Ubuntu's repositories contain version 2.11.2, but you should be able to find newer version in a PPA or something.

Note that even if you have the package installed, your server is not vulnerable unless you also have the module enabled for apache2.

In reply to Glenn Rice

Re: log4j vulnerability

by Jim Beers -

Glenn,

Thank you for the detailed response!  I will use the information given to check out our system.   Much appreciated!