Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Log4j and log4j2 library vulnerability

Scheduled Pinned Locked Moved Solved Support
security
31 Posts 10 Posters 2.9k Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • JOduMonTJ Offline
    JOduMonTJ Offline
    JOduMonT
    replied to BrutalBirdie on last edited by
    #3

    @brutalbirdie said in Lo4j and log4j2 library vulnerability:

    Cloudron tho runs mostly on java script.

    just to clarify, Java and Java Script are not the same, not even compatible
    JavaScript is more for the web while Java is more for embedded system.

    87fe36f3-64c3-48ea-84e3-d17fcfb0510c-image.png

    1 Reply Last reply
    3
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    wrote on last edited by
    #4

    Right so Cloudron as the platform is not affected by this as far as I understand. We don't use log4j(2).

    With regards to apps which may potentially use it, I only found Metabase to be using it at least, but so far hard to tell how and if that is affected.

    1 Reply Last reply
    6
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    wrote on last edited by
    #5

    Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

    Let us know if further apps I might have missed just now, also require fixes.

    M jdaviescoatesJ 2 Replies Last reply
    8
  • M Offline
    M Offline
    Mastadamus
    replied to nebulon on last edited by
    #6

    @nebulon awesome. Thank yall for hopping on this. This was huge.

    1 Reply Last reply
    1
  • jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    replied to nebulon on last edited by jdaviescoates
    #7

    @nebulon said in Lo4j and log4j2 library vulnerability:

    Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

    Let us know if further apps I might have missed just now, also require fixes.

    Looks like Minecraft needs an update too:

    @loudlemur said in Security: Log4shell:

    There is a serious security problem with minecraft:
    https://www.abc.net.au/news/2021-12-11/log4shell-techs-race-to-fix-software-flaw/100692876

    I don't know if this effects Cloudron's software, but it is already weaponized, apparently.

    I use Cloudron with Gandi & Hetzner

    M 1 Reply Last reply
    1
  • M Offline
    M Offline
    Mastadamus
    replied to jdaviescoates on last edited by
    #8

    @jdaviescoates Its heavily weaponized. Like if you have an app thats affected chances are its going to get popped if you leave it unmitigated. Broad array of actors are exploiting it.. from coin miners to more advanced threats. Grey noise is tracking the IP's associated with the threat campaigns and right now they are numerous.

    1 Reply Last reply
    1
  • P Offline
    P Offline
    privsec
    wrote on last edited by
    #9

    Nextcloud, mincraft, use this, right?

    M 2 Replies Last reply
    0
  • M Offline
    M Offline
    Mastadamus
    replied to privsec on last edited by
    #10

    @privsec I'm already receiving exploit/scan attempts inbound. No successful exploits. I believe nothing in my cloudron stack uses it. I can't find any confirmation nextcloud does. If you find something i'd love it asap.

    1 Reply Last reply
    1
  • BrutalBirdieB BrutalBirdie referenced this topic on
  • M Offline
    M Offline
    Mastadamus
    replied to privsec on last edited by
    #11

    @privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.

    necrevistonnezrN 1 Reply Last reply
    1
  • necrevistonnezrN Away
    necrevistonnezrN Away
    necrevistonnezr
    replied to Mastadamus on last edited by necrevistonnezr
    #12

    Here's a maintained list with log4j advisories: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

    log4j detector: https://github.com/mergebase/log4j-detector

    "Vaccine": https://www.bleepingcomputer.com/news/security/researchers-release-vaccine-for-critical-log4shell-vulnerability/

    rmdesR 1 Reply Last reply
    2
  • rmdesR Offline
    rmdesR Offline
    rmdes
    replied to necrevistonnezr on last edited by rmdes
    #13

    Docker Scan should allow us to scan cloudron containers if any doubt remains :
    https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

    edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0

    rmdesR M 2 Replies Last reply
    1
  • rmdesR Offline
    rmdesR Offline
    rmdes
    replied to rmdes on last edited by
    #14

    This tool is also neat, with or without cloudron context : https://github.com/fullhunt/log4j-scan

    1 Reply Last reply
    3
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    wrote on last edited by
    #15

    "Log4j 2.15.0 and previously suggested mitigations may not be enough" - https://isc.sans.edu/diary/Log4j+2.15.0+and+previously+suggested+mitigations+may+not+be+enough/28134

    necrevistonnezrN 1 Reply Last reply
    1
  • necrevistonnezrN Away
    necrevistonnezrN Away
    necrevistonnezr
    replied to girish on last edited by
    #16

    @girish I ran https://github.com/mergebase/log4j-detector today and it seems that at least SOLR is vulnerable(?)

    /proc/5961/task/9300/cwd/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
    /var/lib/docker/overlay2/32ab0d12f3342918d0ffea4a1392cb760f852f9bf0a219c682dd366ff26e72bc/diff/usr/share/java/log4j-1.2-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
    /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
    /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
    /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
    /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
    
    BrutalBirdieB 1 Reply Last reply
    2
  • BrutalBirdieB Online
    BrutalBirdieB Online
    BrutalBirdie Staff
    replied to necrevistonnezr on last edited by
    #17

    @nebulon ping
    Can you check that out?

    Like my work? Consider donating a drink drink. Cheers!

    nebulonN 1 Reply Last reply
    1
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    replied to BrutalBirdie on last edited by
    #18

    @brutalbirdie just because the library is used, does not mean the app is actually vulnerable. In either case all we can really do from our side is to closely track upstream releases during such times and release new app packages asap. We usually can't really patch the upstream apps easily. In this case it seem to be prometheus related? @necrevistonnezr do you know to which app those layers in your case are related to?

    necrevistonnezrN 1 Reply Last reply
    2
  • necrevistonnezrN Away
    necrevistonnezrN Away
    necrevistonnezr
    replied to nebulon on last edited by
    #19

    @nebulon The only SOLR instance is the Cloudron internal mail indexing, in my case.

    nebulonN 1 Reply Last reply
    0
  • nebulonN Online
    nebulonN Online
    nebulon Staff
    replied to necrevistonnezr on last edited by
    #20

    @necrevistonnezr ah ok, then this is fine. It is not exposed or anything.

    3 1 Reply Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    wrote on last edited by
    #21

    I am aware of solr being detected by the static analyzers (the marketplace images complain about the same). solr is used internally for full text search in the mail container. It's not on by default and it's also not exposed outside the internal docker network (so not exposed to outside world).

    Still, we will update the mail container. Solr only put out a new release yesterday which update log4j.

    M 1 Reply Last reply
    3
  • M Offline
    M Offline
    Mastadamus
    replied to girish on last edited by
    #22

    @girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.

    1 Reply Last reply
    4

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.