Is Drupal affected by Log4j vulnerabilities?

Is Drupal affected by Log4j shell vulnerabilities?

Since the new vulnerability for Apache Log4j detected in December 2021 got massive news coverage around the globe, we started receiving concerned questions from our customers about how this could affect their Drupal websites hosted on AltaGrade platform. And such Log4j-related support requests still continue to be filed in our customer support portal and because they all have the same or similar resolutions, I decided to summarize them here in form of questions and answers.

What is Apache Log4j security vulnerabilities?

The Log4j is an open source Java library developed by the Apache Software Foundation, it is widely used by various applications and services around the world. The Log4j vulnerability allows malicious attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

In fact, there were multiple vulnerabilities found for Apache Log4j in 2021 and you can read the detailed information on each of them on https://www.cve.org, authoritative source sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA):

Is Drupal affected by Log4j vulnerabilities?

Since Drupal does not use any Java components, the definitive answer to this question: No. Drupal core is not affected. However, if your Drupal installation is using contributed projects which interact with Java software then you might want to keep reading further.

You use LAMP stack. Is Apache affected by Log4j vulnerabilities?

When you hear lots of news about Log4j associated with the Apache Software Foundation, you might think Apache web servers could be affected. However, be absolutely assured the Apache web servers which we use to run your Drupal websites are not affected, because the Log4j vulnerability is found within Apache Java Logging and that is not installed or used on our servers by default.

My site is using AltaGrade's Apache Solr server. Is it vulnerable?

Some AltaGrade customer projects use various contributed modules and libraries which need Apache Solr servers with Java library running on backend. Now according to https://solr.apache.org/security.html#apache-solr-affected-by-apache-log... versions affected are 7.4.0 to 7.7.3 and 8.0.0 to 8.11.0, and since we do not use those versions, none of our clients' projects is affected.

For security reasons we can't publicly disclose the Apache Solr versions we use on our platform, however if you are an AltaGrade client with websites using our Apache Solr service and want to verify this information, then please contact us via the support portal and we will guide you on how to check the Apache Solr version on your server.

We value your opinion. Please add your feedback.