To be clear: Is Grafana affected by log4j vulnerability?

There’s a pretty big vulnerability in log4j2. I just wanted to ask if Grafana is affected by this? I assume not, but couldn’t find a source.


For this vulner, I think grafana is not affected, but elasticsearch, if your datasource is elasticsearch.
Just add in the jvm.options as follow:

Fadjar Tandabawana

1 Like

There is a discussion here Critical vulnerability in log4j · Issue #43000 · grafana/grafana · GitHub

Security blog is here Security blog posts | Grafana Labs

I couldn’t find any entry about CVE-2021-44228 but security is a top priority for Grafana developers. So I assume it is not affected.

Would have at least expected a notice sent out or confirmation from the Grafana team by now though…

Agreed - a notice would be nice. Sadly, understand that it’s written in go etc etc, but we use this in a customer environment and they generally ask for something like ‘what does the vendor say’ rather than necessarily just take our word for it. …

1 Like

I’m in the same boat! Still no response from the team at Grafana despite contacting them directly too… :frowning:

Hello, Grafana Labs published an official statement today. Grafana and Grafana Enterprise are not affected by this log4j vulnerability.