Log4J CVE-2021-44228 Response
A newly discovered 0-day CVE-2021-44228 vulnerability in the widely used Java logging library Log4j has taken the Internet by storm. It's a vulnerability in a third-party logging framework that enables a remote user to gain privileged access to the host (read more here).
Many of our users are aware of the fact that Foreman leverages Java for several of its applications. We wanted to go on record and let our users know that we do not leverage Log4j, nor are any of our systems vulnerable to this exploit. We will not be releasing an update to any of our agents as a result of this CVE.
Why Wasn't Foreman Affected?
Rather than using Log4j, we integrate with Java logging via the SLF4J (Simple Logging Facade for Java) API. Rather than an implementation of a logger, SLF4J is more of a specification for a contract that needs to be held between a developer that wants to log and the concrete implementation of how those logs are written.
Our applications are modern and they leverage logback as the backend logging implementation (not Log4j). logback doesn't use log4j-core, nor does it offer a JNDI look-up mechanism, so it does not suffer from CVE-2021-44228.