Not sure if everyone is aware here, but I know that my server uses Apache, but since I know very little about coding, I have no idea if I should be concerned about this recent vulnerability discovered.
Can some developers chime in here to give me some comfort?
I’m not a dev, but Nextcloud is built on PHP, therfore I doubt that they use a Java library like Log4j. Maybe it’s there if you have any 3rd party apps installed like Elastisearch or Jitsi, which are based on Java… But I’m pretty sure that the Nextcloud server itself and it’s core apps don’t use it and the Apache HTTP server definitely doesn’t.
Or in other words: Unless you have any Java applications installed, you’re most likely don’t have Log4j on your server. If you want to be sure, check your server with sudo find / -name "log4j*"
The assumption by @bb77 seems to hold for standard Debian installations. A normal Apache Web-Server install on Debian does not include Log4j and or Java, if I am correct.
However, users of a community version of Nextcloud deployed on a Debian system with Java capabilities installed may find the below information useful:
However, this procedure may not be easily feasible to community users and all community system admins. Furthermore, due to the comments in the bug report it appears this mitigation may be somewhat incomplete as provided by the Log4j Security Team.
Last not least one may find the advice and explanations provided by the below article useful:
Yeah but if it for some reason got downloaded or installed without using the package manager, you won’t find it with the apt command, but the “find” command should find it anyways. At least on my speratre Jitsi instance, it did.
Yep. If you for some reason have installed any Java application on your Nextcloud server, chances are high that log4j is installed on your system. And those who use Docker and use it to host all sorts of applications from all sorts of sources have a high chance of even having it installed multiple times. The find command on the underlying OS or the package manager then obviously cannot find it.
Please be advised that the a.m. issue may not be related to Nextcloud at all. However, @b77 provides quite a sufficient rationale above.
Admins and users of a community version of Nextcloud deployed on a Debian system with Java capabilities installed may find the below information useful:
Had the same results, with onlyoffice as well as sharelatex (from overleaf), but this is log4js (javascript) not log4j (java) so this is fine, nothing to worry about (for now !).
If you have got Elastic Search installed … you should see to when they release an update. That’s what is being used for the advanced File Search available in the App-Store.
There is a claim to have the a.m. issue Fixed in Log4j 2.12.2 and Log4j 2.16.0.
Admins and users of a community version of Nextcloud deployed on a Debian system with Java capabilities installed may find the below information useful:
ONLYOFFICE Docs (the document server) and ONLYOFFICE Personal (the commercial version of the document server) do not use the log4j library and therefore non of the CVEs regarding log4j can affect these products. So unless you are using the full OnlyOffice Workspace suite, which does contain log4j because it uses Easticsearch, you are fine.
There is a new claim from the Apache team to have the a.m. issues Fixed in Log4j 2.17.0 (Java 8) . Please be aware of the revised mitigation procedure by the Apache Log4j team (see the URL above).
Hope that helps.
If you have Nextcloud deployed on a Debian system with Java capabilities installed you may find the below information useful: