Is WildFly affected by the log4j 2 vulnerability CVE-2021-44228?

Question

We are using wildfly 10 and 16 in production and a zero-day exploit exists CVE-2021-44228 for log4j for some versions.

How can I be sure that none of the code and libraries use a log4j lib that has that issue?

I do not use any log4j property file nor do I add a dependency by myself.

Any help would be greatly appreciated!

Answer 1

The affected log4j versions are:

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1

WildFly uses log4j shaded via its log4j-jboss-logmanager module. Even the latest 1.2.2.Final version depends on log4j 1.2.17.

This means WildFly <22 is definitely not affected.

There is a log4j2-jboss-logmanager as well - but only WildFly 22+ has it. And as this doc explains:

This will be an implementation of the log4j2 API only. The core log manager for log4j2 will not be supported.
Usage of any org.apache.logging.log4j:log4j-core API’s or implementations will not be supported. In other words the log4j2 log manager implementation, including configuration files, will not be supported.

You can see that the current latest 1.0.0.Final release does not depend on log4j-core at all, only log4j-api.

So WildFly versions >=22 are not affected as well.

The official tweet confirms this.

But what about WFCORE-5743 raising the log4j-core version? Look in the pom:

<!-- This is a test only dependency -->
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>${version.org.apache.logging.log4j}</version>
    <scope>test</scope>
</dependency>

It's not bundled with WildFly, only used in WildFly's build for tests.

Answer 2

Fixed in WildFly Core 18.0.0, to be included in WildFly 26.0.0.Final:

https://issues.redhat.com/browse/WFCORE-5743

https://issues.redhat.com/browse/WFLY-15807

If you need to use WildFly 10 or 16 in production, you should use JBoss EAP instead:

https://access.redhat.com/articles/112673#EAP_7