This last Thursday 9th of December 2021, a critical 0-day type vulnerability has been detected by the IT team of Alibaba (the famous Chinese e-commerce website). This vulnerability is considered *critical* and might allow anyone to execute arbitrary code on a server equipped with Log4j (i.e. real bad).
Log4j is a library used in other software written in Java. Chamilo doesn’t use Java and is, as such, not affected itself. Some of our users, however, use Java software to provide extended capabilities to Chamilo, like the “Chamilo Rapid” converter of PPT to learning paths, or BigBlueButton, the videoconference software.
BigBlueButton, the most common of these extensions, doesn’t seem affected by this issue. In recent versions, at least, it doesn’t make use of Log4j. If you use Scalelite, it doesn’t seem affected either. So there’s nothing to do.
Chamilo Rapid (in fact, LibreOffice which is used by Chamilo Rapid), however, seems to install Log4j by default during its installation.
We did check, though, and removing Log4j from the LibreOffice installation does not seem to affect Chamilo Rapid. So as long as you do not depend on it for other Java software on your server, you could safely remove it. To do this on Debian or Ubuntu servers, just launch the following command:
sudo apt remove log4j
This will also remove another set of packages that do not seem necessary as far as Chamilo Rapid is concerned.
If you use Metabase in combination with Chamilo, you will have to stop the service, update it with (at least) v0.41.4, and restart, as Metabase *is* affected by the issue.
If you would like to use a technical support contract from us, don’t hesitate to contact us at: email@example.com.