Friday, 17 December, 2021

Log4j: Is Umbraco affected by the LogShell exploit?

Is Log4Net, a .NET port of Log4j, used by Umbraco and is it a security issue?

Log4j is an Apache component used by the webserver for logging and diagnostics. As with most popular Apache components it has been widely used in other environments, not just Apache webservers.

A recent CVE (Common Vulnerability and Exposure) found with Log4j has left people asking if Umbraco is affected. Especially since Umbraco used a port of Log4j, called Log4Net, in Umbraco versions 4.10 up to version 8.

You can read the exploit description at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228.

Firstly, the good news is that no vulnerabilities have been found with Log4Net. In fact, the vulnerability is reliant on Java which is not used by or included with Umbraco by default. You can read more about why on Stack Exchange here: https://security.stackexchange.com/questions/257873/does-cve-2021-44228-impact-log4j-ports.

Secondly, Umbraco 8 uses Serilog, which is not related to Log4Net or Log4j and so is not affected by the vulnerability.

Finally, Umbraco HQ have released a security advisory - https://umbraco.com/blog/security-advisory-december-15-2021-umbraco-cms-and-cloud-not-affected-by-cve-2021-44228-log4j-rce-0-day-mitigation/ - stating that Log4j is not being used in any of its online Cloud services (Umbraco Cloud, Uno or Heartcore).