- Project: jitsi-videobridge
- Summary: JVB affected by log4j vulnerability when callstats is enabled
- Severity: Critical
- Affected versions: All < 2.1-504-g2f7fcb978
- Fixed date: 2021-12-10
- Fixed version: 2.1-595-g3637fda42
- CVE: [pending]
- Reported by: Jitsi Team
The log4j library has a RCE vulnerability (CVE-2021-44228). The jitsi-videobridge package is affected by this vulnerability when callstats is enabled, for versions of jitsi-videobridge prior to 2.1-504-g2f7fcb978 (May 2021). Later versions prior to v2.1-595-g3637fda42 (December 2021) are not affected when running with defaults because log4j is not loaded properly, but may be affected if log4j loading is fixed.
Update to v2.1-595-g3637fda42 or load the JVM with the -Dlog4j2.formatMsgNoLookups=true flag.
Jitsi security advisories are posted in https://github.com/jitsi/security-advisories/tree/master/advisories