Log4j2 Vulnerability (CVE-2021-44228 "Log4Shell") Inquiry

[sr]

Hello,

I am writing to ask whether sFlow-RT is affected by the recent (severe) RCE vulnerability discovered in Log4j currently making headlines.

If not: Are there any preventative measures being taken to ensure sFlow-RT has no safety regressions? I'm imagining things like 1) setting the Java system property `log4j2.formatMsgNoLookups` even in the absence of the library, if this is possible and makes sense, so that changes to sFlow-RT's dependency tree that bring in Log4j don't introduce the RCE; 2) setting the environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS` in the sFlow-RT Docker container(s); both of which are prescribed by this web page (under heading "Fixed in Log4j 2.15.0"): https://logging.apache.org/log4j/2.x/security.html

If so: When we can expect patched versions of sFlow-RT (and hopefully an updated Docker image)? Once identified, a blog post to use as an absolute reference for which versions of sFlow-RT are vulnerable and which version is patched would be very helpful.

Thanks!

[Peter Phaal]

sFlow-RT does not include log4j. All logging is done using the standad Java java.util.logging.Logger class.

We don't currently have any plans to include log4j related flags in the sFlow-RT distributions, but you can easily add them if you want:

https://sflow-rt.com/reference.php#properties