1

Topic: Log4j (CVE-2021-44228)

Not sure how to check this, so asking: Is iredmail affected by this?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Log4j (CVE-2021-44228)

no, it does not use java

3

Re: Log4j (CVE-2021-44228)

Does this hold true for ALL versions of iRedMail or just the latest?  Specifically I am running:

iRedMail    0.9.8
iRedAdmin-Pro    2.9.0 (PostgreSQL)

4 (edited by Cthulhu 2021-12-15 11:08:15)

Re: Log4j (CVE-2021-44228)

iredmail never used java, and i guess will never do so aswell

5

Re: Log4j (CVE-2021-44228)

There is a log4j implementation for perl. It is not affected by that advisory. It's just the java implementtions of log4j 2.4x (as I understand it).

Some java/jvm/jre implementations (e.g. Lucee) use log4j. But Lucee for example uses log4j 1.2x, which is not affected.

If you are running java, search your .jar files for log4j

e.g.
]# find / -name *.jar | grep log4j
/opt/lucee/tomcat/lucee-server/bundles/log4j-1.2.17.jar
/opt/lucee/tomcat/lucee-server/bundles/log4j-1.2.16.jar

Cthulhu wrote:

iredmail never used java, and i guess will never do so aswell

6 (edited by Cthulhu 2021-12-15 23:33:47)

Re: Log4j (CVE-2021-44228)

lucee is not related to iredmail, and Log::Log4perl is NOT log4j, that's a huge difference

the question was only related to iredmail, not to any other software some ppl implemented on their servers

7

Re: Log4j (CVE-2021-44228)

iRedMail doesn't install any Java programs by default, so it's crystal clear that ALL iRedMail releases are NOT AFFECTED by this log4j thing. BUT if you installed some Java program after iRedMail installation, then you should check with the program vendor to figure out whether the Java program is affected.