Title: Apache Log4j Remote Code Execution Vulnerability

Announced: December 16, 2021

Fixed in: N/A


LibreOffice does not contain a copy of Log4j so it does not bundle an affected version of Log4j, and LibreOffice does not have a direct dependency on Log4j.

In versions of LibreOffice prior to 7.2 the report building/reporting part of the database application may do some logging via
apache-commons-logging and/or jcommon-logging and it is then maybe possible that if the system has Log4j installed that this logging can be rerouted though Log4j. In any case this scenario requires a vulnerable Log4j to be installed by something/someone else and such a third-party-provided vulnerable Log4j should be replaced anyway as a matter of course.