pretix is unaffected by log4j vulnerability
We're receiving a number of requests from customers asking us to clarify whether pretix is
affected by the remote code execution vulnerability called "log4shell" (or, more formally,
CVE-2021-44228) in the Java library
With this blog post, we want to share with you our current research on the topic. As far as we can tell, pretix is not impacted in any way and your data is safe. No action needs to be taken on your end.
pretix Enterprise / pretix Community
pretix itself is programmed in Python, not in Java, and thus does not use
log4j and is
entirely unaffected. Typical installations of pretix, using pretix together with PostgreSQL
or MySQL as well as redis, also do not include any Java-based components.
The only Java-based component used in some standard pretix setup is
pdftk-java, a PDF file
manipulation utility optionally used by pretix.
pdftk-java is not using
log4j and thus
Just like pretix Enterprise and Community, pretix Hosted also does not run on Java. However, our setup is more complex than a standard pretix installation.
After our team has become aware of the vulnerability last Friday, we started to perform an audit across all infrastructure within our company to compile a list of all Java-based applications running on our servers.
Our internal support system runs an instance of ElasticSearch, which we patched with one of the recommended workarounds. We do not believe the instance was compromised before we patched it, since it is not directly accessible from the internet and we did not find any exploitation attempts in our log files.
We run an instance of Jira, which is not vulnerable. We've applied one of the recommended workarounds anyways, just to be safe.
We use the error reporting tool Sentry, which in turn runs Apache Kafka and Apache ZooKeeper. These applications use
log4j, although in version 1.x which is not vulnerable in its default configuration. We've reviewed the configuration and it does not include the vulnerable configuration.
Even if one of these applications was compromised, all of them are running in environments isolated from our pretix production environment, so it would not lead to a compromise of the data you entrust us with.
While pretix itself is programmed in Python, our client applications pretixSCAN and pretixPOS are implemented in Java (the only exceptions are our iOS apps).
We've reviewed the dependency tree of pretixSCAN Desktop and pretixSCAN Proxy and can
confirm that neither includes
log4j. These appplications are therefore unaffected.
Our Android applications pretixSCAN Android, pretixPOS, and pretixLEAD also do not
log4j. Additionally, there is currently no indication that the vulnerability is
exploitable on the Android platform at all, since some of the mechanisms necessary for exploitation are missing.