Decidim is not affected by the Log4j vulnerability (CVE- 2021-44228)
Security researchers recently found out an extremely critical level vulnerability in the Log4j Java
library. This vulnerability was publicly announced on 10th December 2021 as CVE-2021-44228
(https://nvd.nist.gov/vuln/detail/CVE-2021-44228) and affects the web widely.
Decidim itself is not affected by this vulnerability because Decidim is written in the Ruby
programming language, not Java. This vulnerability concerns applications programmed in the Java
programming language that include a vulnerable version of the Log4j library.
Some Decidim administrators may prefer to run Decidim behind the Apache HTTP server (httpd).
Apache HTTP server (httpd) is not affected by the Log4j vulnerability as it is not a Java application.
Apache is a software vendor who provides many different software tools and libraries, Log4j being one
of them and not related to the HTTP server.
Nevertheless, we encourage everyone to investigate with the utmost priority any possible Java software
installed on their Decidim servers or related services attached to Decidim, such as organizational single
sign-on (SSO) services integrated with Decidim.
Please be ensured that the Decidim team and the community around it consider security extremely
seriously and continue to ensure Decidim stays secure as their highest possible priority. We strive to
ensure Decidim users are safe as data confidentiality is one of the leading principles of Decidim’s
Social Contract (https://docs.decidim.org/en/understand/social-contract/).