There’s a pretty big vulnerability in log4j2. I just wanted to ask if Grafana is affected by this? I assume not, but couldn’t find a source.
Hi,
For this vulner, I think grafana is not affected, but elasticsearch, if your datasource is elasticsearch.
Just add in the jvm.options as follow:
-Dlog4j2.formatMsgNoLookups=true
Regards,
Fadjar Tandabawana
1 Like
There is a discussion here Critical vulnerability in log4j · Issue #43000 · grafana/grafana · GitHub
Security blog is here Security blog posts | Grafana Labs
I couldn’t find any entry about CVE-2021-44228 but security is a top priority for Grafana developers. So I assume it is not affected.
Would have at least expected a notice sent out or confirmation from the Grafana team by now though…
Agreed - a notice would be nice. Sadly, understand that it’s written in go etc etc, but we use this in a customer environment and they generally ask for something like ‘what does the vendor say’ rather than necessarily just take our word for it. …
1 Like
I’m in the same boat! Still no response from the team at Grafana despite contacting them directly too… 
Hello, Grafana Labs published an official statement today. Grafana and Grafana Enterprise are not affected by this log4j vulnerability.
2 Likes