Not sure if everyone is aware here, but I know that my server uses Apache, but since I know very little about coding, I have no idea if I should be concerned about this recent vulnerability discovered.
Can some developers chime in here to give me some comfort?
Hi @FamilyAdmin
I’m not a dev, but Nextcloud is built on PHP, therfore I doubt that they use a Java library like Log4j. Maybe it’s there if you have any 3rd party apps installed like Elastisearch or Jitsi, which are based on Java… But I’m pretty sure that the Nextcloud server itself and it’s core apps don’t use it and the Apache HTTP server definitely doesn’t.
Or in other words: Unless you have any Java applications installed, you’re most likely don’t have Log4j on your server. If you want to be sure, check your server with sudo find / -name "log4j*"
IMHO a more applicable command would be:
apt list --installed | grep log4j
The above command line would list installed packages and filters for log4j while not depending on sudo or requiring any sysadm credentials.
Happy hacking.
The assumption by @bb77 seems to hold for standard Debian installations. A normal Apache Web-Server install on Debian does not include Log4j and or Java, if I am correct.
However, users of a community version of Nextcloud deployed on a Debian system with Java capabilities installed may find the below information useful:
If Log4j installed there is some advice on a mitigation procedure available here:
However, this procedure may not be easily feasible to community users and all community system admins. Furthermore, due to the comments in the bug report it appears this mitigation may be somewhat incomplete as provided by the Log4j Security Team.
Last not least one may find the advice and explanations provided by the below article useful:
Hope this helps. Please be aware this is a community forum and my humble assumptions may be misleading and/or incorrect.
Happy hacking.
Yeah but if it for some reason got downloaded or installed without using the package manager, you won’t find it with the apt command, but the “find” command should find it anyways. At least on my speratre Jitsi instance, it did.
Yep. If you for some reason have installed any Java application on your Nextcloud server, chances are high that log4j is installed on your system. And those who use Docker and use it to host all sorts of applications from all sorts of sources have a high chance of even having it installed multiple times. The find command on the underlying OS or the package manager then obviously cannot find it.
On my instance it found some results:
/var/lib/docker/overlay2/6d5ff9c5d7a124b97363caad44b7a700ab17d7ae995454ccbfaee440456f0755/diff/etc/onlyoffice/documentserver/log4js
/var/lib/docker/overlay2/6d5ff9c5d7a124b97363caad44b7a700ab17d7ae995454ccbfaee440456f0755/merged/etc/onlyoffice/documentserver/log4js
/var/lib/docker/overlay2/6d5ff9c5d7a124b97363caad44b7a700ab17d7ae995454ccbfaee440456f0755/merged/var/www/onlyoffice/documentserver/server/Common/config/log4js
/var/lib/docker/overlay2/c64e5e4d4529c5407499cd8841c770c0e0cc89ff9081dfd356718edc14ddc7a6/diff/etc/onlyoffice/documentserver/log4js
/var/lib/docker/overlay2/c64e5e4d4529c5407499cd8841c770c0e0cc89ff9081dfd356718edc14ddc7a6/diff/var/www/onlyoffice/documentserver/server/Common/config/log4js
Seems like onlyoffice is using that internally.
Please be advised that the a.m. issue may not be related to Nextcloud at all. However, @b77 provides quite a sufficient rationale above.
Admins and users of a community version of Nextcloud deployed on a Debian system with Java capabilities installed may find the below information useful:
One can presume the Debian Security Advisory and apache-log4j2 - security update to be distributed in due time by:
Accordingly, publication and distribution are to be awaited in advance yet.
Happy hacking.
Had the same results, with onlyoffice as well as sharelatex (from overleaf), but this is log4js (javascript) not log4j (java) so this is fine, nothing to worry about (for now !).
Btw: just found this Log4jAttackSurface/MEME.md at master · YfryTchsGD/Log4jAttackSurface · GitHub
If you have got Elastic Search installed … you should see to when they release an update. That’s what is being used for the advanced File Search available in the App-Store.
Or use the workaround and add -Dlog4j2.formatMsgNoLookups=true at the end of /etc/elasticsearch/jvm.options and restart the service …
7.16.1 was released today and fixed the Log4j-Bug …
There is a claim to have the a.m. issue Fixed in Log4j 2.12.2 and Log4j 2.16.0.
Admins and users of a community version of Nextcloud deployed on a Debian system with Java capabilities installed may find the below information useful:
Please be aware of advice on a revised mitigation procedure as referenced by the Apache Log4j team (see the URL above).
Hope that helps.
about Onlyoffice:
As normally you are only using the document server and not the full suite, you should be safe.
ONLYOFFICE Docs (the document server) and ONLYOFFICE Personal (the commercial version of the document server) do not use the log4j library and therefore non of the CVEs regarding log4j can affect these products. So unless you are using the full OnlyOffice Workspace suite, which does contain log4j because it uses Easticsearch, you are fine.
There is a new claim from the Apache team to have the a.m. issues Fixed in Log4j 2.17.0 (Java 8) . Please be aware of the revised mitigation procedure by the Apache Log4j team (see the URL above).
Hope that helps.
If you have Nextcloud deployed on a Debian system with Java capabilities installed you may find the below information useful:
Happy hacking.