Is Apache Log4j configured for Bitnami Wordpress

autolifestylee · December 11, 2021, 6:00pm

any updates here from apache or bitnami??

autolifestylee · December 11, 2021, 6:01pm

hey, have you found any further info on this package?

ricardodo · December 13, 2021, 1:17am

Hello. I’m a user of LAMP PHP 7 LightSail VM on AWS and I would also like to know this.
Thanks

rickb · December 13, 2021, 5:27am

We’re also using Bitnami LAMP on AWS Lightsail, but have Ubuntu 16.04 and are not receiving OS updates. So it’s important to know if this Bitnami is vulnerable to Log4j. Thanks!

francesco.trevisani · December 13, 2021, 9:40am

Hi, we use Bitnami LAMP, Bitnami Wordpress and Bitnami Wordpress Multisite on Amazon AWS Lightsail instances. The IT team of one of our major client, advice us that they find the log4j issue inside our wp multisite instance. So Bitnami installation seems to be vulnerable to log4j. How to apply the permanent remediation?
Thanks in advance

Jens_Hartmann · December 13, 2021, 10:28am

What you found is not “log4j” but instead “log4js”. The name of the framework is quite similar but it is not the same tool.
https://log4js-node.github.io/log4js-node/

I would cautiously guess that this finding has nothing to do with the current problem, but would be grateful for confirmation, as this is not necessarily my area of expertise.

Regards

francesco.trevisani · December 13, 2021, 11:42am

But log4j is used by default on wordpress bitnami stack?

jota · December 13, 2021, 12:25pm

Hi all,

The Bitnami WordPress, WordPress Multisite and LAMP solutions are build on top of PHP and do not include Java that is necessary to run log4j. We can confirm that we are not shipping this vulnerable component in these solutions by default.

As @Jens_Hartmann mentioned, the references to the log4js library inside the nami folder refer to the log4js npm package that is not related to the log4j component. You can find more information here:

https://www.npmjs.com/package/log4js

Thanks for using this forum and let us know if you have any other questions.

francesco.trevisani · December 13, 2021, 1:23pm

Thanks @jota, I think this information is reassuring for all of us!

briggaman · December 13, 2021, 5:50pm

Hi jota,

Is this also the case for Bitnami WAMP?

autolifestylee · December 13, 2021, 6:01pm

Thank you so much @jota

rukshan.sugathapala · December 13, 2021, 10:36pm

Thanks for confirming @jota !

jota · December 14, 2021, 11:49am

Hi @briggaman,

WAMP does not include Log4j (it does not include Java either) so it’s safe to use.

bartjan · December 15, 2021, 3:21pm

How about WordPress with NGINX and SSL Certified by Bitnami and Automattic?

jota · December 15, 2021, 3:22pm

Hi @bartjan,

Same for that solution. We do not include Elasticsearch there and no Log4j library is included either.

bartjan · December 15, 2021, 3:33pm

Thanks for the confirmation @jota!

ashifahmed89 · December 22, 2021, 9:28am

We are using Testlink software for QA teams does testlink using Log4j???

ashifahmed89 · December 22, 2021, 9:29am

We are using Testlink software for QA teams does testlink using Log4j???

jota · December 23, 2021, 8:19am

Hi @ashifahmed89,

TestLink is a PHP application and do not include Java or any java library so it’s safe to use. However, you can ask the app’s developers to know if they are using the affected library somehow.

system · January 6, 2022, 8:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.