Are any versions of WeBWorK affected by the recent and critical Apache Log4j2 vulnerability?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
FWIW, my institution's IT team says we are clear with our installation. This follows scans from FireEye and consultation with InfoSec.
Of course this is a server that is dedicated to WeBWorK and has nothing else running on it.
Based on my reading I don't see anything related to WeBWorK that uses log4j2.
You can try the online tester at https://log4j-tester.trendmicro.com.
You can try the online tester at https://log4j-tester.trendmicro.com.
I found the following file within our installation of version 2.15:
/home/wwadmin/org/apache/commons/logging/impl/Log4JLogger.class
/home/wwadmin/org/apache/commons/logging/impl/Log4JLogger.class
I suspect that these are WeBWorK components based on Apache Commons Logging that can leverage Log4J, not directly Log4J software.
Is there any formal support for WeBWorK? Someone we can submit an email to with this question?
It would be great for the creators/maintainers of WeBWorK to make some sort of statement, even if it's just 'we are still trying to determine if WeBWorK is vulnerable'.
WeBWorK does not directly use LDAP or JNDI, and so technically speaking WeBWorK is not affected by this vulnerability.
The question is if your apache server installation is vulnerable. If your server is using Ubuntu check to see if you have the package liblog4j2-java installed. If not, then you have nothing to worry about. You shouldn't have that unless you are using it for something. WeBWorK doesn't use it or need it. If you have it installed, then remove it if you don't need it. If you need it, then see if you can upgrade to version 2.15.0 (which fixes the vulnerability). Ubuntu's repositories contain version 2.11.2, but you should be able to find newer version in a PPA or something.
Note that even if you have the package installed, your server is not vulnerable unless you also have the module enabled for apache2.
Glenn,
Thank you for the detailed response! I will use the information given to check out our system. Much appreciated!