Rocket.Chat's Community Open Call 🎤 Jan 19th, 2022 Join us!

New log4j vulnerability

A new ‘extremely critical vulnerability’ has emerged in the log4j library.

I ran this command on my server to discover that the rocket.chat service may be relying on this library.

philipp@myserver:~$ sudo find / -name "log4j*"
/snap/rocketchat-server/1491/programs/server/npm/node_modules/moleculer/src/loggers/log4js.js

Would anybody be able to confirm whether that’s correct? Do I need to be worried?

Hope this gets some attention soon.

1 Like

Hello,

is there any Information from Rocket Chat to this vulnerabilitiy and if Log4J is used in RocketChat?
I didnt find anything on Rocket.chat Blog, Homepage or Github

Every big company has a information about this. Why is there no information from RocketChat?

2 Likes

Log4js (what you found) has nothing to do with the Log4j Java library, so no there is no problem.

3 Likes

Hi there!

Regarding this threat, our Security Team already did the necessary investigations.

Here we have a summary of the findings:

Your Rocket.Chat application is not affected by the log4j vulnerability as it does not use log4j. Our SaaS offering is not affected as well per the current state of our investigation. We continue to monitor the situation.

1 Like

Amazing! Thanks so much for your swift response.