Log4j2 exploit relevant?


Could we get some official statement if (or if not) globaleaks system ist vulnerable to the log4j2 exploit?


1 Like

Looking for the same info.

1 Like

Digging a bit in the dirt, i.e. looking at the code, it seems to me that “just” node.js is used (among others), but no java. While node.js does also include a lib called log4js-node, this (https://github.com/log4js-node/log4js-node/issues/1105) thread indicates that there’s not code share and the vulnerable parts (jini, ldap) are also not included.

Still, would feel a lot better to have the dev’s confirming this in a more “formal” way and manner… :slight_smile:

Thank you for your questions.

I confirm that GlobaLeaks does not use log4j in any of its software or infrastructure.