13 December 2021, 10:10

Hi everyone,

Over the weekend, a critical vulnerability was made public affecting Log4j, a widely-used Java logging library. We recommend that you get in touch with your IT provider to have your entire infrastructure reviewed in regard to this vulnerability.

The Mahara code base is not affected because it does not use Java. Neither is Mahara Mobile that does not use Java-based logging.

Organisations running Elasticsearch connected to Mahara should follow the advice published by Elastic. While Elasticsearch "is not susceptible to remote code execution with this vulnerability", Elastic is "making a fix available for an information leakage attack also associated with this vulnerability and recommend that all customers apply the configuration."

Elasticsearch can be used in Mahara for advanced full text searching as well as learning analytics. You can check if you use Elasticsearch by going to 'Admin menu' -> 'Configure site' -> 'Site options' -> 'Search settings' and 'Logging settings'. If your search is set to 'elasticsearch', then you use Elasticsearch and the search bar in the header of a page says 'Search' rather than 'Search for people'. If you use Elasticsearch also for advanced reporting, you would have 'Event log reporting' and 'Log events' activated in the 'Logging settings'.

If you have LDAP connected to Mahara, we also recommend that you apply any patches made available and follow advice by your IT department.

Thank you

Kristina