ICINGA with Log4J CVE-2021-44228 Apache

Hi Team,
can you please let us know if icinga2 also affected with N Log4J CVE-2021-44228 Apache
if yes do we need to also -Dlog4j2.formatMsgNoLookups=true this parameter

This is my personal thinking about this (maybe too narrow-minded?), as I have no java stuff on my monitoring systems and Log4j 2 is a Java logging library and there is no java code in the Icinga project this CVE does not impact Icinga.

Tests for it:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#detection-testers
maybe this helps as well to find if you have any associated files present:

find / -type f >> ~/file_list.txt && egrep "log4j|[Jj]ndi[lL]ookup" ~/file_list.txt;rm -f ~/file_list.txt
5 Likes

Hello @gaurav8591!

I’ve actively… let’s say… “co-developed” core, web and Icinga DB and never seen any line of java code. The only exception:

But on that you’d have to ask team Graylog.

Best,
AK

6 Likes