Is Log4j used anywhere in Temporal code?

Can someone confirm that Temporal is not impacted by recent log4j vulnerabilities?
As I understand, the only Java code there is in Temporal is Java SDK and I don’t see any log4j mentions there. So I assume we’re safe here, but would be great if someone confirms it.

Temporal Java SDK doesn’t directly depend on any logging framework besides slf4j. For unit testing it depends on logback. So no any direct log4j dependency.

The only subsystem that can have the Log4j dependency is ElasticSearch. Make sure to patch it if your Temporal setup runs with it.

1 Like

It looks like the docker compose image is using ES 7.10.1. According to ES, they’re using a patched version of log4j starting in 7.16.2.

I just submitted a PR to address the vulnerability @jeffschoner pointed out.

(I wasn’t able to also create an issue in that repo to associate the PR with - it looks like for whatever reason temporalio has public issue filing disabled on that repo, but hopefully the PR is simple enough to stand on its own)

Hey everyone, a quick update before the holiday weekend. We merged the PR a few hours ago, along with a similar one in our helm-charts repo (Update Elasticsearch to 7.16.2 by tsurdilo · Pull Request #254 · temporalio/helm-charts · GitHub). Thanks for the PR, and if you have any other questions about this, please let us know!

1 Like