After the Log4j vulnerability was disclosed in early December 2021, we investigated to find out if the Revive Adserver software is impacted by this matter. This was also prompted by an issue that was opened by a user on our Github repository. This user ran a file checker, which reported that a file in the Revive Adserver software contains log4j files.
The aforementioned file appears to have been introduced over a decade ago, along with the example XML-RPC Java API client, and had possibly been intended for some automated tests of said API.
If our published security guidelines are implemented, the affected jar file is not accessible from the outside. It is also not being used by Revive Adserver software in any way. As such, there is no indication that the Revive Adserver software is affected by the Log4j vulnerability.
We will most likely remove the sample Java client and its supporting jar files in a future release of Revive Adserver, as these files are not being maintained and haven’t been tested for ages. This should also help avoid unnecessary file detection reports by log4j vulnerability scanners.
Please follow the original Github issue and any comments posted there to stay up to date about this particular topic.
Please also take note about our Security advisories. If you think you’ve found an actual vulnerability, please report it to us responsibly through our HackerOne security reporting program.