Wagtail statement on Log4j vulnerability
Wagtail itself isn’t vulnerable, but we encourage users of Elasticsearch to consider updating to the latest version of Elasticsearch.
In the last few days, there’s been widespread publicity regarding a serious vulnerability in the software Log4j, which is widely used by web-based Java applications and cloud suppliers. This vulnerability - CVE-2021-44228 and CVE-2021-45046, also known as Log4Shell or LogJam - allows complete system takeover on systems using certain versions of Log4j. It is being actively exploited across the web, and we are seeing multiple exploit attempts for it in server logs of Wagtail sites.
Wagtail itself isn’t vulnerable, however we recommend users of Elasticsearch (with our search backend or otherwise) consider updating to the latest version of Elasticsearch. This is based on Elastic’s official statement.
To check whether your site uses this search backend, review your site’s WAGTAILSEARCH_BACKENDS Django setting.
We take the security of Wagtail, and related packages we maintain, seriously. Please follow our security policy when reporting issues, and refer to our support channels for any other queries.