As one of the points of contact at CERT for LLVM, I’ve received messages from CERT asking if LLVM is affected by any of the recent log4j vulnerabilities: CVE-2021-45105, CVE-2021-4104, CVE-2021-45046 and CVE-2021-44228. It seems CERT is reaching out to every single vendor registered with them about these vulnerabilities.

As far as I know no LLVM sub-project uses Java, so LLVM should not be vulnerable to any of the log4j issues.

Before I go ahead and record in the CERT database that LLVM is not affected, I thought I’d just double check if anyone is aware of any use of Java in LLVM and/or any potential way LLVM could be affected by the recent log4j issues?

Thanks,

Kristof