From db5c82cec8e39c84a1f9e0057ea372f76181abeb Mon Sep 17 00:00:00 2001
From: idk <hankhill19580@gmail.com>
Date: Sat, 11 Dec 2021 12:40:45 -0500
Subject: [PATCH] draft CVE-2021-44228 blog post

---
 .../i2p-unaffected-cve-2021-44228.draft.rst   | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 i2p2www/blog/2021/12/11/i2p-unaffected-cve-2021-44228.draft.rst

diff --git a/i2p2www/blog/2021/12/11/i2p-unaffected-cve-2021-44228.draft.rst b/i2p2www/blog/2021/12/11/i2p-unaffected-cve-2021-44228.draft.rst
new file mode 100644
index 000000000..8717b6e86
--- /dev/null
+++ b/i2p2www/blog/2021/12/11/i2p-unaffected-cve-2021-44228.draft.rst
@@ -0,0 +1,40 @@
+===========================================
+{% trans -%}I2P is not affected by the log4j vulnerability{%- endtrans %}
+===========================================
+
+.. meta::
+   :author: idk, zzz
+   :date: 2021-12-11
+   :category: security
+   :excerpt: {% trans %}I2P doesn't use log4j and is therefore unaffected by CVE-2021-44228{% endtrans %}
+
+{% trans -%}
+Update details
+{%- endtrans %}
+============================================
+
+{% trans -%}
+I2P is not affected by the log4j 0-Day vulnerability which was published
+yesterday, CVE-2021-44228. I2P doesn't use log4j for logging, however we also
+needed to review our dependencies for log4j usage, especially jetty. This
+review has not revealed any vulnerabilities.
+{%- endtrans %}
+
+{% trans -%}
+It was also important to check all of our plugins. Plugins may bring in their
+own logging systems, including log4j. We found that most plugins also do not use
+log4j, and those that do did not use a vulnerable version of log4j.
+{%- endtrans %}
+
+{% trans -%}
+As of now we haven't found any dependency, plugin or app that's vulnerable.
+{%- endtrans %}
+
+{% trans -%}
+We bundle a log4j.properties file with jetty for plugins that introduce log4j. This
+file only has an effect on plugins which use log4j logging internally. We have
+checked in the recommended mitigation to the log4j.properties file. Plugins which
+enable log4j will run with the vulnerable feature disabled. As we cannot find any
+usage of log4j 2.x anywhere, we have no plans to do an emergency release at this 
+time.
+{%- endtrans %}
-- 
GitLab