Is Duplicati vulnerable to the Log4J zero day vulnerability?
Welcome to the forum @uomoe
A flaw in Log4j, a Java library for logging error messages in applications
It might be better to state if Duplicati uses Log4J. I don’t think it does. A whole lot of things do not. In fact, I would never use it in anything I create and a lot of others wouldn’t either.
There’s no sign of it in the source (link above, or download the whole thing, and search as you like).
This follows from the language comment. A Java library is made for use by a Java program, not C#.
It would also make no sense to use Log4j in a C# program, because there is already a log4net port.
Mixing different versions of managed code would also need two runtimes, not just .NET Framework
(or mono for non-Windows systems).which serves as a Common Language Runtime.for .NET code.
A Java virtual machine would be the equivalent of that for Java code, and Duplicati doesn’t use one.
If this means you create Java code, then you are more capable of looking for clues of use than I am. Duplicati encourages and relies on community for its existence and improvement. All, please chip in.
I have now checked the
https://github.com/kenkendk/ projects to see which languages are used. While I do see one in Java by the latter, I don’t think it’s in Duplicati, and even if it were somehow, I’m not seeing signs of Log4j in a GitHub source web search.
Searching all Duplicati dependencies down to the lowest levels is not practical, but to give an idea of “different ecosystems”, a Google search for
log4net at the
nuget.org repository of .NET apps finds numerous uses. This is not so for
Log4j. For good measure, I also searched for
44228 which should
pick up any references to CVE-2021-44228 which is the identifier for this vulnerability per my first link.
Java and others yes. I also didn’t notice log4J in a quick Duplicati git search but that doesn’t mean they don’t use it somewhere else like with the server side of the remote connections like they do with Google Drive or even use Log4J based with another code language. Weird things get done.
I just don’t believe they are using it. Not everyone will. Asking doesn’t automatically mean they do. As such I wouldn’t care about researching it further.
To expand on that further anyway, for example there’s also log4net which is a .net implementation and was affected by vulnerability previously. It will likely see the same thing happen in time as log4j as this is the way it goes Apache Log4net : List of security vulnerabilities
There are others from Apache as well https://logging.apache.org/ not to mention others can take the code rename log4j to something else Forks · apache/logging-log4j2 · GitHub and that could be in use.
However, to note, I do use some Apache libraries. Just would never use log4j. That’s not my way of doing things there.