title: “Statement about Log4J v2 vulnerability CVE-2021-44228” tags: cve keywords: cve permalink: 2021-12-13-log4j-statement.html summary: “Statement about Log4J v2 vulnerability CVE-2021-44228 on Dec 13, 2021” hide_sidebar: true hide_navtoggle: true toc: true
Gerrit v184.108.40.206 uses log4j 1.2.17, this means it's not affected by the Log4J v2 vulnerability CVE-2021-44228.
Gerrit v3.5.1 does not use log4j but adopted reload4j instead.
Log4j 1.2.17 is affected by CVE-2019-17571 and CVE-2020-9488 however, both of them require a specific log4j configuration that Gerrit does not use out of the box.
Should you have used a custom log4j configuration you should also check that your configuration is not impacted by the above vulnerabilities and look at the associated mitigation actions.