Background
- Log4J Zero day was announced on Fri, Dec 10, as the highest (10.0 CVSS) critical Log4j vulnerability was discovered. The Log4Shell vulnerability was exploited by attackers worldwide, allowing malicious strings to be logged.
- Apache Log4j is an open-source Java package that allows developers to log activity within applications. The Apache Log4j vulnerable versions are versions 2.0 to version 2.14.1 inclusive. (updated: 2.15.0 was found with CVE-2021-45046 vulnerability)
- Because the Apache Log4j component was approved to be used by many manufacturers, vendors, and software packages (such as Cisco, VMware, NetApp, Elastic Logstash, Docker, and more), Your IT environment might be vulnerable.
Log4J in BigBlueButton
BigBlueButton is not using Log4j. Hence, as a BigBlueButton administrator, you don’t need to worry about any log4j exploitation of BigBlueButton.
BigBlueButton JVM applications are using logback for logging. I went looking further, even the bbb-lti does not have that class package. I have double checked all the transitive log4j dependencies, unzipped them and am 100% sure that the class “JndiLookup” is not compiled with any of them. – Ghazi Triki
We’ve looked through the code base and concluded we are not vulnerable to the log4j exploit in BigBlueButton 2.2, 2.3, and 2.4. – Fred Dixon
BigBlueButton 2.2 on Ubuntu 16.x
BigBlueButton 2.2 is on an older version of Ubuntu, verison 16.x, and we strongly recommend that anyone still on that older release to upgrade to BigBlueButton 2.4.