Gregory's ServerAccording to Elastic, Elasticsearch is not affected by the #log4j vulnerability. That would've been Mastodon's only exposure to log4j.
 6 comments
 Thankfully Smithereen is also not affected in any way. I use slf4j for logging and most of my dependencies do as well. @grishka can't SLF4J delegate message logging to log4j2 under the right circumstances? Their page on the issue seemed to indicate that things might not be so straightforward: http://slf4j.org/log4shell.html not a lot, just forever, nope, I don't have it, checked the dependency tree just to be sure. I use "slf4j-simple" which is basically a thin wrapper around writing strings to stdout/stderr/file.   |
@Gargron I have doubts. This repo https://github.com/YfryTchsGD/Log4jAttackSurface lists ElasticSearch as affected and seems to show evidence. However it's not very detailed.