Support » Plugin: W3 Total Cache » Is the Log4j vulnerability an issue?

  • Resolved chrisweblocal

    (@chrisweblocal)


    Hello,

    I just wanted to check if this plugin is vulnerable to the Log4j issue that is happening right now considering I checked the plugin files and there is a .java file in the directory.

    Thanks a bunch!

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    No, as with any other plugin and WordPress itself.

    WordPress, plugins and themes are using PHP as server side language.

    log4j is a component for Java servlets. Its another programming language and it is not used in WordPress ecosystem (except maybe some very exotic integration plugins that word together with PHP and Java, but its very unlikely case)

    PS: Related to that Java file, Yes, it is for Java, but its not used, its 3rd party component, used for CSS optimization which comes for Java and for PHP.
    Plugin is using PHP file. That .java is not executed and is just eating space on your host disk.

    Thread Starter chrisweblocal

    (@chrisweblocal)

    Perfect. That’s what I figured but I just wanted to double check as I have very little experience with Java.

    Thanks again!

    @fierevere @audrasjb

    Do you think we can have a kind of official statement or blog post (placed on a prominent spot on wordpress.org) that confirms that WordPress is NOT affected by Log4j?

    This might help to avoid lots of questions and mails 😉

    Hello,
    I checked with the security team and as for now, it doesn’t appear we have a strong need to communicate about this security issue since it doesn’t affect WordPress. Also, when we checked few hours earlier, there weren’t much support threads about this in the 3 previous days. A communication about this may lead to more questions and concern than not.

    Thank you for pointing this out @fierevere @chrisweblocal @pixelverbieger 🙂

    • This reply was modified 6 months, 1 week ago by Jb Audras.

    It wouldn’t hurt to do it anyway, though, would it?

    The w.org forums are not the only place where questions come up.
    Assume that my 100+ customers don’t ask here, but contact *me* and ask for a confirmation. This could easily be provided by w.org, so that not only the security team knows that we do NOT have a problem …

    +1 @pixelverbieger

    It should be a no-brainer that if there is a security breach of such magnitude, there will be a statement from every software vendor. Including WordPress. There are so many people who are not deeply involved in the subject of web development. For them, such a statement is important.

    An official statement/post about this security breach would be helpful.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Is the Log4j vulnerability an issue?’ is closed to new replies.