Impact of log4j CVE-2021-44228 on heritrix3?

[bnewbold]

This is a security-related issue, and I have read https://github.com/internetarchive/heritrix3/blob/master/SECURITY.md. Because it is not specific to heritrix3, and is getting a lot of public attention, I believe it is reasonable to open a public thread here about it.

This is an issue to track the impact of a recent log4j remote exploit (CVE-2021-44228) in the context of heritrix3.

My brief read of the situation is that log4j versions 2.0.x through 2.14.x (see elsewhere for exact version numbers) are impacted. Heritrix3 pulls in log4j, but as of recent 3.4.x tags, has never used a version 2.0.x or greater. And thus no versions of heritrix3 are vulnerable to this specific issue. Would be great to get another set of eyes to confirm this.

[ato]

I've seen some speculation that the log4j 1 JMS appender may also be vulnerable but this would require a Heritrix user to have explicitly configured it.

Note that software widely used in the web archiving community like ElasticSearch, Solr and Kafka has been found vulnerable in its default configuration so I strongly suggest everyone search your systems for the log4j-core 2.x jar and apply patches or mitigations to all applications that include it as soon as possible. We've already seen many exploitation attempts and were up late last night applying mitigations.