Impact
Older versions of the log4j library have a RCE vulnerability (CVE-2021-44228). The jitsi-videobridge package is affected by this vulnerability when callstats is enabled, for versions of jitsi-videobridge prior to 2.1-504-g2f7fcb978 (May 2021). Later versions prior to v2.1-595-g3637fda42 (December 2021) are not affected when running with defaults because log4j is not loaded properly, but may be affected if log4j loading is fixed.
Patches
jitsi-videobridge v2.1-595-g3637fda42 uses a patched version of log4j.
Workarounds
Loading the JVM with the -Dlog4j2.formatMsgNoLookups=true option should mitigate this issue for vulnerable versions.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
For more information
If you have any questions or comments about this advisory:
Impact
Older versions of the log4j library have a RCE vulnerability (CVE-2021-44228). The jitsi-videobridge package is affected by this vulnerability when callstats is enabled, for versions of jitsi-videobridge prior to 2.1-504-g2f7fcb978 (May 2021). Later versions prior to v2.1-595-g3637fda42 (December 2021) are not affected when running with defaults because log4j is not loaded properly, but may be affected if log4j loading is fixed.
Patches
jitsi-videobridge v2.1-595-g3637fda42 uses a patched version of log4j.
Workarounds
Loading the JVM with the
-Dlog4j2.formatMsgNoLookups=trueoption should mitigate this issue for vulnerable versions.References
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
For more information
If you have any questions or comments about this advisory: