Prosody Log4j vulnerability

[micha re]

Hello all,

I just wanted to ask if prosody (or perhaps Lua?) is vulnerable to the Log4j Flaw?

Thanks for the info.

Greets,

Micha

[Matthew Wild]

Hi Micha,

On Wed, 15 Dec 2021 at 11:30, 'micha re' via Prosody IM Users <prosod...@googlegroups.com> wrote:

Hello all,

I just wanted to ask if prosody (or perhaps Lua?) is vulnerable to the Log4j Flaw?

Prosody is not vulnerable to the Log4j flaw. Log4j is a Java logging library, but Prosody is written mostly in Lua and does not use Java or have any Java dependencies.

On the topic of security, there was also an OpenSSL security advisory this week: https://www.openssl.org/news/secadv/20211214.txt

Prosody does use OpenSSL via LuaSec, but is typically not using OpenSSL 3.0 which is the version affected by this security issue. Right now we recommend that people use OpenSSL 1.1.1 with Prosody, which is safe and the default version on most systems currently.

Regards,

Matthew

[micha re]

Hi Matthew,

thank you for your rapid and informative Answer.

In this context I checked the used OpenSSL version which is, as you mentioned, OpenSSL 1.1.1 from 11. Sep. 2018.

Regards,

Micha