pretix is unaffected by log4j vulnerability

13. Dez. 2021

We're receiving a number of requests from customers asking us to clarify whether pretix is affected by the remote code execution vulnerability called "log4shell" (or, more formally, CVE-2021-44228) in the Java library log4j.

With this blog post, we want to share with you our current research on the topic. As far as we can tell, pretix is not impacted in any way and your data is safe. No action needs to be taken on your end.

pretix Enterprise / pretix Community

pretix itself is programmed in Python, not in Java, and thus does not use log4j and is entirely unaffected. Typical installations of pretix, using pretix together with PostgreSQL or MySQL as well as redis, also do not include any Java-based components. The only Java-based component used in some standard pretix setup is pdftk-java, a PDF file manipulation utility optionally used by pretix. pdftk-java is not using log4j and thus unaffected.

pretix Hosted

Just like pretix Enterprise and Community, pretix Hosted also does not run on Java. However, our setup is more complex than a standard pretix installation.

After our team has become aware of the vulnerability last Friday, we started to perform an audit across all infrastructure within our company to compile a list of all Java-based applications running on our servers.

Our internal support system runs an instance of ElasticSearch, which we patched with one of the recommended workarounds. We do not believe the instance was compromised before we patched it, since it is not directly accessible from the internet and we did not find any exploitation attempts in our log files.
We run an instance of Jira, which is not vulnerable. We've applied one of the recommended workarounds anyways, just to be safe.
We use the error reporting tool Sentry, which in turn runs Apache Kafka and Apache ZooKeeper. These applications use log4j, although in version 1.x which is not vulnerable in its default configuration. We've reviewed the configuration and it does not include the vulnerable configuration.

Even if one of these applications was compromised, all of them are running in environments isolated from our pretix production environment, so it would not lead to a compromise of the data you entrust us with.

Client applications

While pretix itself is programmed in Python, our client applications pretixSCAN and pretixPOS are implemented in Java (the only exceptions are our iOS apps).

We've reviewed the dependency tree of pretixSCAN Desktop and pretixSCAN Proxy and can confirm that neither includes log4j. These appplications are therefore unaffected.

Our Android applications pretixSCAN Android, pretixPOS, and pretixLEAD also do not bundle log4j. Additionally, there is currently no indication that the vulnerability is exploitable on the Android platform at all, since some of the mechanisms necessary for exploitation are missing.

Raphael Michel

Raphael ist der Gründer und Haupt-Entwickler von pretix. Er begeistert sich für benutzerfreundliche, elegante Software und wenn er nicht zu beschäftigt mit pretix ist, organisiert er gerne selbst Konferenzen mit.