Rollbar Log4J CVE-2021-44228 (“Log4Shell”) Community Update

A critical vulnerability in the Apache Log4J library, used in Java applications, has prompted Rollbar to recommend updating dependencies to mitigate potential security risks. Although Rollbar's Java SDK does not explicitly log through Log4J, projects using Log4J as their primary logger might still be affected, leading Rollbar to release an updated version of its SDK, rollbar-java 1.8.1, to ensure compatibility with Log4J version 2.17.0 or higher, which addresses the vulnerabilities identified as CVE-2021-44228 and CVE-2021-45046. Rollbar advises users to manage their dependencies directly and recommends upgrading both Log4J and Rollbar components to the latest secure versions to protect against potential exploits that could allow attackers to execute malicious code in the Java Virtual Machine (JVM). The company has conducted thorough reviews of its infrastructure to confirm the absence of issues and emphasizes that setting minimum dependency requirements is crucial for maintaining backward compatibility, but exceptions are sometimes necessary to ensure security.