Highlighter and log4j vulnerability discovery

In relation with recently published log4j vulnerability details, we're monitoring the situation closely but, from the currently available information, we believe that JObjects Highlighter is deemed safe with respect to CVE-2021-44228.

JObjects Highlighter is not using log4j for logging. It's a very popular logging framework so some of our third party dependencies depend on it. However, we only include the API library, without the log4j implementation (where the vulnerability is). The logging to log4j is bridged by the log4-over-slf4j library to the logback library that we use for logging.

Library groovy-all.jar included with JObjects Highlighter contains bundled log4j library. This library is used only for the server scripting. By default, there are no extension scripts enabled. If you have custom scripts in JObjects Highlighter make sure you don't use log4j directly. The log object which is proved in the script's global scope is a slf4j interface instance and doesn't use log4j.

SLF4J team has own assessment of the CVE-2021-44228 vulnerability in regard to SLF4J and Logback

To be on the safe side, you can edit file bin/highlighter-service.vmoptions and add line:

-Dlog4j2.formatMsgNoLookups=true

which is recommended in mitigating the log4j vulnerability.

If you wish to review Highlighter's logging configuration, you can find it in the conf/logback.xml file.