Log4j Vulnerability Update

Dec, 15 2021#security #vapor #forge

Log4j is a Java library by Apache used to log debug messages within applications. It's recently been featured in news outlets around the world due to a vulnerability (known as Log4Shell) that was discovered allowing remote code execution using a specific string.

Laravel Forge

Laravel Forge does not install Log4j by default. Furthermore, Forge does not install any applications known to use Log4j.

The vast majority of servers provisioned by Forge will not be vulnerable; however, if you have manually installed applications such as ElasticSearch your server may be affected.

To check if your server is affected, you can use a script such as log4j_checker_beta.

Laravel Vapor

Laravel Vapor does not install or use Log4j in both the native or Docker runtimes. However, if you have manually installed libraries, use custom layers, or customize your Dockerfile, it is possible that Log4j has been installed due to those modifications.

You should check your environment for vulnerability and take action if necessary.

By James Brooks

Engineering Team Lead at Laravel, building Forge, Vapor & Envoyer.

Find me on Twitter, GitHub or my blog.

Follow the RSS Feed.