log4j vulnerability -- is Zotero affected?

Can you please confirm whether Zotero is affected by the critical remote code execution vulnerability in Apache log4j versions 2.10.0 and greater that was released today?

More info about the vulnerability:
Log4j is included with most enterprise products released by the Apache Software Foundation, including as Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, and Apache Kafka.

What do I need to do?
If you have a server running log4j that is exposed to the internet upgrade to version 2.15.0 to address this vulnerability. If you cannot upgrade, mitigate the issue by applying the flag “formatMsgNoLookups=true” and restart log4j. See the lunasec.io and randori.com links below for additional information on this mitigation.

Additional information on the vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.randori.com/blog/cve-2021-44228/
  • We don't believe so, but we've patched the few things in our infrastructure that could theoretically be affected.
  • Just to update, it's been confirmed that nothing Zotero uses was vulnerable, even before the patches.
Sign In or Register to comment.