Wagtail statement on Log4j vulnerability

In the last few days, there’s been widespread publicity regarding a serious vulnerability in the software Log4j, which is widely used by web-based Java applications and cloud suppliers. This vulnerability - CVE-2021-44228 and CVE-2021-45046, also known as Log4Shell or LogJam - allows complete system takeover on systems using certain versions of Log4j. It is being actively exploited across the web, and we are seeing multiple exploit attempts for it in server logs of Wagtail sites.

Wagtail itself isn’t vulnerable, however we recommend users of Elasticsearch (with our search backend or otherwise) consider updating to the latest version of Elasticsearch. This is based on Elastic’s official statement.

To check whether your site uses this search backend, review your site’s WAGTAILSEARCH_BACKENDS Django setting.

We take the security of Wagtail, and related packages we maintain, seriously. Please follow our security policy when reporting issues, and refer to our support channels for any other queries.

About

Features

Who uses Wagtail

Wagtail roadmap

Core team

Contact

Accessibility

Sustainability

Developer documentation

Packages

Wagtail User Guide

Try Wagtail

Get Help

FAQs

Wagtail GitHub

Blog

Slack

Newsletter

Wagtail Space

Code of conduct

Wagtail vs Wordpress

Wagtail vs Drupal

Wagtail AI

Localization & translations

Wagtail services

Sponsor a feature