Log4j vulnerability in ODK-X endoint?

Hello,

By my organisation I have been asked if my servers running ODK-X endpoint are vulnerable to the log4j hack.
I don’t know much about the servers and I would appreciate your help answering this question.

All the best,
Andreas

2 Likes

Here is the Sync-Endpoint dependencies file:

If you search for log4j you can see we are actually excluding it from our logging system as it conflicted and caused problems in the past.

So at a high level it does not appear to have an issue. However, not sure if one of the dependencies sync-endpoint depends on has a dependency deep in it’s code. As new versions come out we will be upgrading.

3 Likes

Hello,

In addition to Waylon’s comment, the Tomcat server used by sync-endpoint should also not be affected (as per the official Tomcat website: Apache Tomcat® - Apache Tomcat 8 vulnerabilities)

The other application exposed by sync-endpont is Nginx which is written in C and not affected by Log4j.

Best regards,
Emil

2 Likes