Log4j Vulnerability

A critical security vulnerability CVE-2021-44228 has been identified in the popular “Apache Log4j 2” library (2.x <= 2.15.0-rc1). This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to securityԹdcache.org. Thanks for that!

Log4j in dCache

dCache uses logback as the default logging solution and does not distribute the Log4j library with officially released packages. It is therefore not affected.

Log4j in ZooKeeper and Kafka

Like many Java based projects, ZooKeeper and Apache Kafka use Log4j as their logging library. However, they both depend on log4j-1.2.x, which is not vulnerable to this CVE.

Log4j in the dCache project infrastructure

We are currently checking the entire dCache project infrastructure for the presence of vulnerable versions of the Log4j library. This work is ongoing.