Some of the Jitsi components load a version of log4j which is affected by CVE-2021-44228. According to our review, jigasi and older jitsi-videobridge instances configured to use callstats may be affected, while all other jitsi components and jigasi instances with no callstats configuration are not affected.
Jigasi instances with callstats enabled should be updated to 1.1-216.
Jitsi-videobridge instances older than 2.1-504 (May 2021) with callstats enabled should be updated to 2.1-504 or newer.
None of the jitsi projects use log4j directly, however some of them load it as a transitive dependency via jitsi-stats → callstats-java-sdk.
Jicofo loads it only at the test phase due to the jitsi-videobridge dependency, and thus it is not affected.
When callstats is not enabled, jitsi-videobridge is not affected.
When callstats is enabled:
Versions before 2.1-504-g2f7fcb978 (May 2021) may be affected.
Versions between 2.1-504 and 2.1-594-g56e0dae00 (inclusive) are not affected because they use incompatible versions of log4j, resulting in a failure to load the affected log4j-core classes:
[INFO] ± org.jitsi:jitsi-stats:jar:1.0-7-g2a9b765:compile
[INFO] | - io.callstats:callstats-java-sdk:jar:5.2.1:compile
[INFO] | ± org.apache.logging.log4j:log4j-api:jar:2.3:compile
[INFO] | ± org.apache.logging.log4j:log4j-core:jar:2.13.2:compile
Versions v2.1-595-g3637fda42 (Dec 10, 2021) and newer are not affected, because they include a new version of log4j:
[INFO] ± org.jitsi:jitsi-stats:jar:1.0-9-g4ce7952:compile
[INFO] | ± io.callstats:callstats-java-sdk:jar:5.3.1:compile
[INFO] | | ± org.apache.logging.log4j:log4j-api:jar:2.15.0:compile
[INFO] | | ± org.apache.logging.log4j:log4j-core:jar:2.15.0:compile
When callstats is not enabled, jigasi is not affected.
When callstats is enabled jigasi versions prior to 1.1-216-ga2399b9 (Dec 10, 2021) may be affected.
We are in the process of releasing a new version of jigasi to all our deployments. There are no other running systems affected by the issue.
A new debian stable version of jigasi has been released. A new debian stable release of the jitsi-meet package will be released soon. New docker images will be released soon.