23 December 2021
TL;DR: Ballerina and Ballerina Central are NOT affected by the “Log4Shell” (CVE-2021-44228) vulnerability as they DO NOT use any Log4j libraries.
Apache Log4j is part of the Apache Logging Services project, which is owned by the Apache Software Foundation. It’s one of the most popular Java-based logging frameworks, which is currently being used by many commercial and open-source software.
Recently, the Apache Software Foundation announced the “Log4Shell” vulnerability, which is now published as CVE-2021-44228. With Log4Shell, Log4j can be instructed to perform a JNDI lookup by an attacker, who can control log messages or log message parameters when message lookup substitution is enabled. Both LDAP and RMI JNDI service implementations return a serialized Java object that can lead to a Java deserialization attack, thereby allowing arbitrary code execution on the recipient server or disclosure of sensitive information. The vulnerability is particularly dangerous because of how widely implemented the Log4j library is. For more information on this, see Apache Log4j Security Vulnerabilities.
Ballerina is not affected by this vulnerability because Ballerina’s logging setup uses java.utils.logging and does not use Log4j. Furthermore, all official packages, i.e., all ballerina, ballarinax, choreo and wso2 packages, and other packages that are currently available in Ballerina Central also do not use Log4j libraries. Therefore, we would like to assure all Ballerina users that applications written in Ballerina cannot be compromised by the Log4Shell vulnerability unless you have used third-party libraries that do use Log4j. To check if you have any third-party libraries that use Log4j, run this script against the target directory of your Ballerina application or package.
Please be assured that we are rigorously and regularly scanning our systems against all reported vulnerabilities, as we always do.