Hi Moodle peeps,
I haven't seen anything yet about Moodle's status on this Java vulnerability - can you please let us know what your level of vulnerability/patching is for this?
https://www.lunasec.io/docs/blog/log4j-zero-day/
Thanks
" can you please let us know what your level of vulnerability"
Does Moodle use or depend on java or log4j?
Does Moodle use or depend on java or log4j?
I've been looking at this this morning as our security analyst in IT flagged it. Apache (the web server we run) doesn't use it, but log4j is an Apache project which is probably where some people are getting concerned without looking at it.
So unless you're running it in a Java servlet container (which for PHP would be very odd), the answer should be no.
So unless you're running it in a Java servlet container (which for PHP would be very odd), the answer should be no.
Absolutely zero. Why do you think it would be an issue for Moodle?
Moodle is a PHP project and does not use Java at all (at least, not in the core product - I can’t speak for third-party plugins). We don’t use Log4J or any of the log4j framework or formats at all.
Moodle is a PHP project and does not use Java at all (at least, not in the core product - I can’t speak for third-party plugins). We don’t use Log4J or any of the log4j framework or formats at all.
Great, thanks for confirming.
Bear in mind that some people are having IT managers who haven't looked at it properly just panic, and these managers are asking their staff to look at it.
Ours I'm told was worried, just by the mention of the word Apache - I looked at the link his security analyst sent me, and realised that as it was an Apache project that's where the concern/confusion arose.
Ours I'm told was worried, just by the mention of the word Apache - I looked at the link his security analyst sent me, and realised that as it was an Apache project that's where the concern/confusion arose.
Looks like it was historically used within Moodle once upon a time: https://docs.moodle.org/19/en/Emeeting_module_Log4j
I don't think there is anything wrong with pro-actively asking considering the associated risk. I found this thread as I was also looking.
I don't think there is anything wrong with pro-actively asking considering the associated risk. I found this thread as I was also looking.
Emeeting was never part of Moodle. It was (once upon a time) an add-on.