Skip to content

Latest commit

 

History

History
19 lines (15 loc) · 974 Bytes

JSA-2021-0004.md

File metadata and controls

19 lines (15 loc) · 974 Bytes

Overview

  • Project: jitsi-videobridge
  • Summary: JVB affected by log4j vulnerability when callstats is enabled
  • Severity: Critical
  • Affected versions: All < 2.1-504-g2f7fcb978
  • Fixed date: 2021-12-10
  • Fixed version: 2.1-595-g3637fda42
  • CVE: [pending]
  • Reported by: Jitsi Team

Description

The log4j library has a RCE vulnerability (CVE-2021-44228). The jitsi-videobridge package is affected by this vulnerability when callstats is enabled, for versions of jitsi-videobridge prior to 2.1-504-g2f7fcb978 (May 2021). Later versions prior to v2.1-595-g3637fda42 (December 2021) are not affected when running with defaults because log4j is not loaded properly, but may be affected if log4j loading is fixed.

Resolution

Update to v2.1-595-g3637fda42 or load the JVM with the -Dlog4j2.formatMsgNoLookups=true flag.


Jitsi security advisories are posted in https://github.com/jitsi/security-advisories/tree/master/advisories