RabbitMQ is not affected by the Log4j vulnerability

December 16, 2021

RabbitMQ is not affected by the Log4j vulnerability, read below for more details.

RabbitMQ is an Erlang application and as such runs on the BEAM virtual machine, which is not the Java virtual machine.

We do not ship Log4j in the RabbitMQ broker.

Our Java libraries (Java client, JMS client, etc) depend on a log façade (SLF4J), and application developers choose a “binding” - an implementation of a logging library - to use in their applications. Log4j is one of those possible bindings application developers might choose.

We do ship with a log binding for our utility programs, e.g. PerfTest, and the binding we use is Logback, which is not affected.

Please check in your application code (if Java) and take remedial action there if your developers are using Log4J.

Written by: Ed Byford Arnaud Cogoluègnes

Categories: announcements