Log4j in BigBlueButton

Background Log4J Zero day was announced on Fri, Dec 10, as the highest (10.0 CVSS) critical Log4j vulnerability was discovered. The Log4Shell vulnerability was exploited by attackers worldwide, allowing malicious strings to be logged. Apache Log4j is an open-source Java package that allows developers to log activity within applications. The Apache Log4j vulnerable versions are […]
21 Dec, 2021

Background

  • Log4J Zero day was announced on Fri, Dec 10, as the highest (10.0 CVSS) critical Log4j vulnerability was discovered. The Log4Shell vulnerability was exploited by attackers worldwide, allowing malicious strings to be logged.
  • Apache Log4j is an open-source Java package that allows developers to log activity within applications. The Apache Log4j vulnerable versions are versions 2.0 to version 2.14.1 inclusive. (updated: 2.15.0 was found with CVE-2021-45046 vulnerability)
  • Because the Apache Log4j component was approved to be used by many manufacturers, vendors, and software packages (such as Cisco, VMware, NetApp, Elastic Logstash, Docker, and more), Your IT environment might be vulnerable.

Log4J in BigBlueButton

BigBlueButton is not using Log4j. Hence, as a BigBlueButton administrator, you don’t need to worry about any log4j exploitation of BigBlueButton. 

BigBlueButton JVM applications are using logback for logging. I went looking further, even the bbb-lti does not have that class package. I have double checked all the transitive log4j dependencies, unzipped them and am 100% sure that the class “JndiLookup” is not compiled with any of them. – Ghazi Triki 

We’ve looked through the code base and concluded we are not vulnerable to the log4j exploit in BigBlueButton 2.2, 2.3, and 2.4. – Fred Dixon

BigBlueButton 2.2 on Ubuntu 16.x

BigBlueButton 2.2 is on an older version of Ubuntu, verison 16.x,  and we strongly recommend that anyone still on that older release to upgrade to BigBlueButton 2.4.

You may also like …

BigBlueButton WordPress Help

Discover the BigBlueButton WordPress Plugin, a versatile tool for both online classrooms and corporate meetings. Seamlessly integrate with BigBlueButton servers, create unlimited classes, initiate sessions with a click, and enjoy extensive customization. Experience effortless hosting with enhanced security, personalized branding, and no impact on site performance. Elevate your virtual engagement effortlessly.

Save 40% on BigBlueButton Hosting

Enjoy a 40% reduction in your hosting expenses compared to AWS, Digital Ocean, and other hosting providers, enabling you to invest more in your core business. Embrace a 100% uptime, experts-managed online classroom experience today.