As you may have heard, a critical vulnerability in the Log4J library was published recently. We have received questions about our software’s vulnerability to these exploits.
None of our open source products use Java:
- PowerDNS Authoritative Server
- PowerDNS Recursor
- dnsdist
- metronome
Also, none of the commercial PowerDNS products use Java. If you are a customer and you have concerns, please contact us.
However, we do know that some of our users output various data streams (logs, dnstap, our own Protobuf logging, etc.) from our software. Those streams may end up in 3rd-party products like Elasticsearch, which is vulnerable (Elastic advisory on Log4J).
So, to judge if you, as a PowerDNS user, are affected by the Log4J vulnerability, please take into account what you do with your DNS data!