A high severity security vulnerability in the popular open source log4j logging library has been discovered and assigned CVE-2021-44228. This impacted multiple versions of the Apache Log4j 2 utility.
The flaw in the Log4j software could allow hackers a complete takeover of the affected systems and has prompted an urgent warning by many governments’ cybersecurity agencies, like the US and Germany.
Rocket.Chat application is not affected by the log4j vulnerability as it does not use log4j. Our SaaS offering is not affected as well per the current state of our investigation. We continue to monitor the situation very closely.
The Rocket.Chat application does not use log4j directly or via dependencies. Log4j is a Java utility, our stack does not use Java. Hence the log4j vulnerability cannot be exploited in the Rocket.Chat application. To avoid confusion: Rocket.Chat uses log4js (notice the additional “s” at the end), which is not affected by the vulnerability.
Our SaaS product on the application layer does not use Java as well. We have run a vulnerability scan over our infrastructure and found no usage of log4j. And for all clients that run Rocket.Chat in a self-managed and air-gapped environment, they are safe from it.
Rocket.Chat has reached out to potentially affected suppliers that help us provide our SaaS product, and we have received confirmation from them that their products are not affected by the log4j vulnerability.
We are constantly analyzing our infrastructure and actively using our security monitoring systems to make sure that we are constantly improving our security and keeping your data safe.