Not vulnerable to the Log4Shell exploit

Hello everyone,

As you may have heard, a serious security problem was recently discovered in the Log4j Java logging framework. KoBoToolbox does not use Log4j and therefore is not vulnerable to this problem.

If you’d like more detail: the only part of the KoBoToolbox server software that’s written in Java is ODK Validate. ODK Validate in turn uses a library called JavaRosa. Either of these could contain Log4j, but they do not; instead, they use SLF4J:

You may further confirm for yourself that no Log4j classes appear in any JAR files on a KoBoToolbox server:

ubuntu@kobo-host:/$ sudo find -iname '*.jar' -exec unzip -l \{} \; 2>&1 | grep -i log4j

A search with the same technique for slf4j, however, should return many results:

ubuntu@kobo-host:/$ sudo find -iname '*.jar' -exec unzip -l \{} \; 2>&1 | grep -i slf4j
        0  2017-03-16 17:36   META-INF/maven/org.slf4j/
        0  2017-03-16 17:36   META-INF/maven/org.slf4j/slf4j-nop/
      109  2017-03-16 17:18   META-INF/maven/org.slf4j/slf4j-nop/
      786  2017-03-16 16:53   META-INF/maven/org.slf4j/slf4j-nop/pom.xml

If you disagree with this analysis, or you want to report a different security problem with KoBoToolbox, do not post it in a public venue like this forum or GitHub. Instead, send an email to Thank you!

John Milner
Lead Developer