Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Log4j and log4j2 library vulnerability

Log4j and log4j2 library vulnerability

Scheduled Pinned Locked Moved Solved Support
security
31 Posts 10 Posters 10.5k Views 11 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • nebulonN Offline
    nebulonN Offline
    nebulon
    Staff
    wrote on last edited by
    #4

    Right so Cloudron as the platform is not affected by this as far as I understand. We don't use log4j(2).

    With regards to apps which may potentially use it, I only found Metabase to be using it at least, but so far hard to tell how and if that is affected.

    1 Reply Last reply
    6
    • nebulonN Offline
      nebulonN Offline
      nebulon
      Staff
      wrote on last edited by
      #5

      Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

      Let us know if further apps I might have missed just now, also require fixes.

      M jdaviescoatesJ 2 Replies Last reply
      8
      • nebulonN nebulon

        Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

        Let us know if further apps I might have missed just now, also require fixes.

        M Offline
        M Offline
        Mastadamus
        wrote on last edited by
        #6

        @nebulon awesome. Thank yall for hopping on this. This was huge.

        1 Reply Last reply
        1
        • nebulonN nebulon

          Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

          Let us know if further apps I might have missed just now, also require fixes.

          jdaviescoatesJ Offline
          jdaviescoatesJ Offline
          jdaviescoates
          wrote on last edited by jdaviescoates
          #7

          @nebulon said in Lo4j and log4j2 library vulnerability:

          Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

          Let us know if further apps I might have missed just now, also require fixes.

          Looks like Minecraft needs an update too:

          @loudlemur said in Security: Log4shell:

          There is a serious security problem with minecraft:
          https://www.abc.net.au/news/2021-12-11/log4shell-techs-race-to-fix-software-flaw/100692876

          I don't know if this effects Cloudron's software, but it is already weaponized, apparently.

          I use Cloudron with Gandi & Hetzner

          M 1 Reply Last reply
          1
          • jdaviescoatesJ jdaviescoates

            @nebulon said in Lo4j and log4j2 library vulnerability:

            Ok so metabase and grafana packages are now updated to have a fix for this vulnerability.

            Let us know if further apps I might have missed just now, also require fixes.

            Looks like Minecraft needs an update too:

            @loudlemur said in Security: Log4shell:

            There is a serious security problem with minecraft:
            https://www.abc.net.au/news/2021-12-11/log4shell-techs-race-to-fix-software-flaw/100692876

            I don't know if this effects Cloudron's software, but it is already weaponized, apparently.

            M Offline
            M Offline
            Mastadamus
            wrote on last edited by
            #8

            @jdaviescoates Its heavily weaponized. Like if you have an app thats affected chances are its going to get popped if you leave it unmitigated. Broad array of actors are exploiting it.. from coin miners to more advanced threats. Grey noise is tracking the IP's associated with the threat campaigns and right now they are numerous.

            1 Reply Last reply
            1
            • P Offline
              P Offline
              privsec
              wrote on last edited by
              #9

              Nextcloud, mincraft, use this, right?

              M 2 Replies Last reply
              0
              • P privsec

                Nextcloud, mincraft, use this, right?

                M Offline
                M Offline
                Mastadamus
                wrote on last edited by
                #10

                @privsec I'm already receiving exploit/scan attempts inbound. No successful exploits. I believe nothing in my cloudron stack uses it. I can't find any confirmation nextcloud does. If you find something i'd love it asap.

                1 Reply Last reply
                1
                • BrutalBirdieB BrutalBirdie referenced this topic on
                • P privsec

                  Nextcloud, mincraft, use this, right?

                  M Offline
                  M Offline
                  Mastadamus
                  wrote on last edited by
                  #11

                  @privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.

                  necrevistonnezrN 1 Reply Last reply
                  1
                  • M Mastadamus

                    @privsec I tested nextcloud with a log4j2 testing tool from huntress and I couldn't get it to callback to the ldap server so i think its gtg.

                    necrevistonnezrN Offline
                    necrevistonnezrN Offline
                    necrevistonnezr
                    wrote on last edited by necrevistonnezr
                    #12

                    Here's a maintained list with log4j advisories: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

                    log4j detector: https://github.com/mergebase/log4j-detector

                    "Vaccine": https://www.bleepingcomputer.com/news/security/researchers-release-vaccine-for-critical-log4shell-vulnerability/

                    rmdesR 1 Reply Last reply
                    2
                    • necrevistonnezrN necrevistonnezr

                      Here's a maintained list with log4j advisories: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

                      log4j detector: https://github.com/mergebase/log4j-detector

                      "Vaccine": https://www.bleepingcomputer.com/news/security/researchers-release-vaccine-for-critical-log4shell-vulnerability/

                      rmdesR Offline
                      rmdesR Offline
                      rmdes
                      wrote on last edited by rmdes
                      #13

                      Docker Scan should allow us to scan cloudron containers if any doubt remains :
                      https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

                      edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0

                      rmdesR M 2 Replies Last reply
                      1
                      • rmdesR rmdes

                        Docker Scan should allow us to scan cloudron containers if any doubt remains :
                        https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

                        edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0

                        rmdesR Offline
                        rmdesR Offline
                        rmdes
                        wrote on last edited by
                        #14

                        This tool is also neat, with or without cloudron context : https://github.com/fullhunt/log4j-scan

                        1 Reply Last reply
                        3
                        • girishG Offline
                          girishG Offline
                          girish
                          Staff
                          wrote on last edited by
                          #15

                          "Log4j 2.15.0 and previously suggested mitigations may not be enough" - https://isc.sans.edu/diary/Log4j+2.15.0+and+previously+suggested+mitigations+may+not+be+enough/28134

                          necrevistonnezrN 1 Reply Last reply
                          1
                          • girishG girish

                            "Log4j 2.15.0 and previously suggested mitigations may not be enough" - https://isc.sans.edu/diary/Log4j+2.15.0+and+previously+suggested+mitigations+may+not+be+enough/28134

                            necrevistonnezrN Offline
                            necrevistonnezrN Offline
                            necrevistonnezr
                            wrote on last edited by
                            #16

                            @girish I ran https://github.com/mergebase/log4j-detector today and it seems that at least SOLR is vulnerable(?)

                            /proc/5961/task/9300/cwd/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                            /var/lib/docker/overlay2/32ab0d12f3342918d0ffea4a1392cb760f852f9bf0a219c682dd366ff26e72bc/diff/usr/share/java/log4j-1.2-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
                            /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                            /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                            /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                            /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                            
                            BrutalBirdieB 1 Reply Last reply
                            2
                            • necrevistonnezrN necrevistonnezr

                              @girish I ran https://github.com/mergebase/log4j-detector today and it seems that at least SOLR is vulnerable(?)

                              /proc/5961/task/9300/cwd/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                              /var/lib/docker/overlay2/32ab0d12f3342918d0ffea4a1392cb760f852f9bf0a219c682dd366ff26e72bc/diff/usr/share/java/log4j-1.2-1.2.17.jar contains Log4J-1.x   <= 1.2.17 _OLD_ :-|
                              /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                              /var/lib/docker/overlay2/5bb4ce30d32c6760fe21e98ab6f98651bf9591e83ab2385f0a4833ee5ef0c979/diff/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                              /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                              /var/lib/docker/overlay2/f8ed382cc2590afd6189335f84aaf0f561811a5165dbf58191be61048c5312f5/merged/app/code/solr/server/lib/ext/log4j-core-2.14.1.jar contains Log4J-2.x   >= 2.10.0 _VULNERABLE_ :-(
                              
                              BrutalBirdieB Offline
                              BrutalBirdieB Offline
                              BrutalBirdie
                              Partner
                              wrote on last edited by
                              #17

                              @nebulon ping
                              Can you check that out?

                              Like my work? Consider donating a drink. Cheers!

                              nebulonN 1 Reply Last reply
                              1
                              • BrutalBirdieB BrutalBirdie

                                @nebulon ping
                                Can you check that out?

                                nebulonN Offline
                                nebulonN Offline
                                nebulon
                                Staff
                                wrote on last edited by
                                #18

                                @brutalbirdie just because the library is used, does not mean the app is actually vulnerable. In either case all we can really do from our side is to closely track upstream releases during such times and release new app packages asap. We usually can't really patch the upstream apps easily. In this case it seem to be prometheus related? @necrevistonnezr do you know to which app those layers in your case are related to?

                                necrevistonnezrN 1 Reply Last reply
                                2
                                • nebulonN nebulon

                                  @brutalbirdie just because the library is used, does not mean the app is actually vulnerable. In either case all we can really do from our side is to closely track upstream releases during such times and release new app packages asap. We usually can't really patch the upstream apps easily. In this case it seem to be prometheus related? @necrevistonnezr do you know to which app those layers in your case are related to?

                                  necrevistonnezrN Offline
                                  necrevistonnezrN Offline
                                  necrevistonnezr
                                  wrote on last edited by
                                  #19

                                  @nebulon The only SOLR instance is the Cloudron internal mail indexing, in my case.

                                  nebulonN 1 Reply Last reply
                                  0
                                  • necrevistonnezrN necrevistonnezr

                                    @nebulon The only SOLR instance is the Cloudron internal mail indexing, in my case.

                                    nebulonN Offline
                                    nebulonN Offline
                                    nebulon
                                    Staff
                                    wrote on last edited by
                                    #20

                                    @necrevistonnezr ah ok, then this is fine. It is not exposed or anything.

                                    3 1 Reply Last reply
                                    0
                                    • girishG Offline
                                      girishG Offline
                                      girish
                                      Staff
                                      wrote on last edited by
                                      #21

                                      I am aware of solr being detected by the static analyzers (the marketplace images complain about the same). solr is used internally for full text search in the mail container. It's not on by default and it's also not exposed outside the internal docker network (so not exposed to outside world).

                                      Still, we will update the mail container. Solr only put out a new release yesterday which update log4j.

                                      M 1 Reply Last reply
                                      3
                                      • girishG girish

                                        I am aware of solr being detected by the static analyzers (the marketplace images complain about the same). solr is used internally for full text search in the mail container. It's not on by default and it's also not exposed outside the internal docker network (so not exposed to outside world).

                                        Still, we will update the mail container. Solr only put out a new release yesterday which update log4j.

                                        M Offline
                                        M Offline
                                        Mastadamus
                                        wrote on last edited by
                                        #22

                                        @girish min patch to rectify log4j2 issues is 2.16 .. 2.15 is affected by cvss 9.0 rce in some instances.

                                        1 Reply Last reply
                                        4
                                        • rmdesR rmdes

                                          Docker Scan should allow us to scan cloudron containers if any doubt remains :
                                          https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

                                          edit : https://github.com/docker/scan-cli-plugin/releases/tag/v0.11.0

                                          M Offline
                                          M Offline
                                          Mastadamus
                                          wrote on last edited by
                                          #23

                                          @rmdes good suggestion.

                                          M 1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search