Start free trial
Log4Shell (CVE-2021-44228): Foldr's response · Self-hosted

Log4Shell (CVE-2021-44228): Foldr's response

Updated 4 May 2026 Authentication & Security Self-hosted only

Log4Shell (CVE-2021-44228): Foldr’s response

Historical advisory. This article is preserved as a record of how Foldr handled the Log4Shell incident in December 2021. The mitigations described shipped in Foldr server v4.22.1.3 and v4.22.1.5; current Foldr releases incorporate them and have moved on to far newer log4j versions. If you’re investigating Log4Shell exposure on a Foldr deployment today, you only need to confirm you’re on a current v10 release.

The Log4Shell vulnerability in Apache Log4j was disclosed to Apache on 24 November 2021 and made public on 9 December 2021. More background: Log4Shell on Wikipedia.

Why Foldr was not exposed

Our analysis at the time, captured here for the record:

  1. Java surface is search-only. The only component of the Foldr server that uses Java is the search service. Deployments not using Foldr search have no Java service running and were unaffected.
  2. Search is not internet-facing. The search service is not directly exposed to the internet. Search input is supplied only by authenticated Foldr users, and the Foldr server tokenises that input before forwarding it to the search service.
  3. Query logging disabled. The search service inside Foldr is not configured for query logging, removing one of the common Log4Shell attack paths (logging attacker-controlled strings).
  4. OpenJDK setting. The OpenJDK shipped inside Foldr had com.sun.jndi.rmi.object.trustURLCodebase set to false, which prevents the remote-code-download path that Log4Shell relied on.

In combination, we did not believe a Foldr server was exposed to this particular attack.

Mitigations applied anyway

Even with the above analysis, we shipped two precautionary updates:

  • v4.22.1.3 (13 December 2021): set log4j2.formatMsgNoLookups to true server-wide as an additional mitigation.
  • v4.22.1.5 (17 December 2021): replaced the log4j JAR files inside the search service with fully patched versions.

Both changes are part of the v4 update stream and rolled forward into all subsequent releases. Customers on supported releases received them automatically.

← All articles