Prosody Log4j vulnerability

13 views
Skip to first unread message

micha re

unread,
Dec 15, 2021, 6:30:33 AM12/15/21
to Prosody IM Users
Hello all,
I just wanted to ask if prosody (or perhaps Lua?) is vulnerable to the Log4j Flaw?
Thanks for the info.
Greets,
Micha

Matthew Wild

unread,
Dec 15, 2021, 6:39:46 AM12/15/21
to Prosody IM Users Group
Hi Micha,

On Wed, 15 Dec 2021 at 11:30, 'micha re' via Prosody IM Users <prosod...@googlegroups.com> wrote:
Hello all,
I just wanted to ask if prosody (or perhaps Lua?) is vulnerable to the Log4j Flaw?

Prosody is not vulnerable to the Log4j flaw. Log4j is a Java logging library, but Prosody is written mostly in Lua and does not use Java or have any Java dependencies.

On the topic of security, there was also an OpenSSL security advisory this week: https://www.openssl.org/news/secadv/20211214.txt

Prosody does use OpenSSL via LuaSec, but is typically not using OpenSSL 3.0 which is the version affected by this security issue. Right now we recommend that people use OpenSSL 1.1.1 with Prosody, which is safe and the default version on most systems currently.

Regards,
Matthew

micha re

unread,
Dec 15, 2021, 9:13:51 AM12/15/21
to Prosody IM Users
Hi Matthew,

thank you for your rapid and informative Answer.
In this context I checked the used OpenSSL version which is, as you mentioned, OpenSSL 1.1.1 from 11. Sep. 2018.

Regards,
Micha
Reply all
Reply to author
Forward
0 new messages