A newly revealed critical vulnerability impacting Apache Log4j was disclosed and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By exploiting this vulnerability, a remote attacker could take control of the affected system.
We would like to assure all users that GLPI core and its plugins, being written in PHP and not using Log4j, are not affected by the Log4Shell vulnerability.
Exploiting this vulnerability requires a Java Virtual Machine and the org.apache.logging.log4j.core.lookup.JndiLookup Java class in a vulnerable version. None of them are included or used in GLPI distributions.
We can also confirm that:
- GLPI Android Agent (writen in Java), doesn’t use Log4j library, and thus is not affected by the Log4Shell vulnerability
- GLPI Agent (writen in Perl), is not affected by the Log4Shell vulnerability
Warning: this does not prevent layers/tools potentially upstream of GLPI (reverse-proxy, firewall, etc.), or connected to GLPI, which we are not aware of in your context, from being potentially impacted.
For example, if you have a Metabase server connected to GLPI you should note that Metabase (<0.41.4) is affected by Log4j vulnerability, and you should update it ASAP!
Documentation:
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://github.com/NCSC-NL/log4shell/tree/main/software
- https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/