PowerDNS and Log4J/Log4Shell

As you may have heard, a critical vulnerability in the Log4J library was published recently. We have received questions about our software’s vulnerability to these exploits.

None of our open source products use Java:

  • PowerDNS Authoritative Server
  • PowerDNS Recursor
  • dnsdist
  • metronome

Also, none of the commercial PowerDNS products use Java. If you are a customer and you have concerns, please contact us.

However, we do know that some of our users output various data streams (logs, dnstap, our own Protobuf logging, etc.) from our software. Those streams may end up in 3rd-party products like Elasticsearch, which is vulnerable (Elastic advisory on Log4J).

So, to judge if you, as a PowerDNS user, are affected by the Log4J vulnerability, please take into account what you do with your DNS data!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s