Critical vulnerability in log4j - CVE-2021-44228

I think Dolibarr is NOT affected by this vulnerability. As this topic gets a lot of public attention it would be helpful to get an official statement from one of the core-developers (eg @eldy)



I am not one of the core developers you addressed with your request, but I can confirm: Log4j is a Java library. Since Dolibarr is written in php and not using any Java components, it is not directly affected.

However, what people should look out for is the rest of their infrastructure - either the own server or the infrastructure of the hosting company. If there are Java applications hosted on the same server, there may well be a security and/or availability issue.

One of the easy and immediate measures is to keep backups recent and available in a safe place and to keep the eyes open for announcements of service providers regarding updates.



I confirm that Dolibarr is NOT affected by the Log4j vulnerability.