PowerDNS and Log4J/Log4Shell

Dec 16, 2021

As you may have heard, a critical vulnerability in the Log4J library was published recently. We have received questions about our software’s vulnerability to these exploits.

None of our open source products use Java:

  • PowerDNS Authoritative Server
  • PowerDNS Recursor
  • dnsdist
  • metronome

Also, none of the commercial PowerDNS products use Java. If you are a customer and you have concerns, please contact us.

However, we do know that some of our users output various data streams (logs, dnstap, our own Protobuf logging, etc.) from our software. Those streams may end up in 3rd-party products like Elasticsearch, which is vulnerable (Elastic advisory on Log4J).

So, to judge if you, as a PowerDNS user, are affected by the Log4J vulnerability, please take into account what you do with your DNS data!

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS

Related Articles

PowerDNS Authoritative Server 4.1

Version 4.1 is a major upgrade for the Authoritative Server, delivering improvements and speedups developed and tested over...

Peter van Dijk 11/5/17

PowerDNS Authoritative Server 4.6.3

Hello! Today we published release 4.6.3 of the Authoritative Server. It contains two bug fixes, and marks the arrival of...

Peter van Dijk 07/4/22

PowerDNS Authoritative Server 4.5.3

Hello! Today we published release 4.5.3 of the Authoritative Server. It contains several robustness fixes for the LMDB...

Peter van Dijk 01/6/22

PowerDNS Authoritative Server 4.4.2

Hello! We are proud to announce version 4.4.2 of the Authoritative Server. This releases fixes one issue: RFC2136/nsupdate:...

Peter van Dijk 11/5/21