Is OSTicket vulnerable to the Log3J exploit?

eatyourpeas747

If so, what are the mitigation steps or workarounds currently?

eatyourpeas747

Oops. I meant log4j exploit

Muxacka

Same question here..

Muxacka

After investigating, log4j is not installed by default nor used it looks.. but needs confirmation from OS Ticket devs

dede78

hello, in any case as a temporary mitigation:
If upgrading Log4j 2 to version 2.15.0 is not a viable option, short-term mitigations are available (although upgrading is the recommended approach).
Log4J 2 Versions 2.10.0 – 2.14.1
Option 1
If running Log4j version 2.10.0 through 2.14.1, The “formatMsgNoLookups” property is available, and the vulnerability can be mitigated by setting the system property "log4j2.formatMsgNoLookups" to “true”.
• When launching the java virtual machine (JVM):
-Dlog4j2.formatMsgNoLookups=true
• Add or modify the configuration file (log4j2.component.properties) within an application folder to include:
log4j2.formatMsgNoLookups=true
Option 2
Per https://logging.apache.org/log4j/2.x/security.html - remove the JndiLookup class from the classpath.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Log4J 2 Versions pre 2.10.0
Per https://issues.apache.org/jira/browse/LOG4J2-2109 - within logging configuration files, disable message pattern lookups by replacing each reference of %m with %m{nolookups}.

Muxacka

dede78 , your reply Does not make sense..

fdrouin

Any DEV can confirm if osticket use Log4J?

ntozier

Log4J is not part of osTicket. It's part of Apache.

KevinTheJedi

@fdrouin @eatyourpeas747 @Muxacka @dede78

osTicket is PHP based and not based on any Java stack using Log4J.

Cheers.