Review Board and log4j2

The big tech news this week has been CVE-2021-44228, the vulnerability in Log4j2, a widely-used logging library for Java.

We've received a lot of questions as to whether Review Board is impacted.

The answer is no. Review Board is not impacted by the Log4j2 vulnerability. It's written in Python and JavaScript, and we do not make use of Java or Log4j2 anywhere in our stack.

However, Review Board may talk to other services in your network that use Log4j2, which themselves may be impacted. We recommend thoroughly auditing your infrastructure at this time.

This is a pretty rough issue, and we want to acknowledge and praise the hard work and long hours so many people are putting in to address this issue, both inside and outside the Log4j2 project. If your company depends on Log4j2, or any other critical open source components, consider reaching out to those projects to see how you can help give back.