Apache Log4J does not affect Nextcloud

We have received some questions about the Log4j vulnerability. Nextcloud software is not affected by this issue.

Details

  • Nextcloud Hub itself does not use Log4j, nor do the High Performance Backend components for Talk and Files.
  • The Android Files app ships log4j as a arbitrary dependency, but does not use log4j in any way that can lead to the security issue being exploitable.
  • Nextcloud Office (Collabora Online) does not use Log4j.
  • OnlyOffice is also unaffected.

For other third-party apps, Log4j usage could be a potential risk. For Elastic Search, see this discussion post about the Log4j issue.

See the publicly disclosed information in the CVE database and this impact analysis for more details.

Our infrastructure is updated and as we offer no hosting, no customer data could be at risk.

Please do stay up to date

Having said all the above, we do strongly recommend you keep your servers up-to-date. For home users, please make sure you run Nextcloud 21, 22 or 23. Other releases are no longer supported.

For customers using Nextcloud Enterprise, make sure you have applied the updates provided in the enterprise updater as we continue to support older versions.

13 Likes

nearly:

However, ONLYOFFICE Workspace provides the implemented Elasticsearch service for full-text search and indexing which is affected by the vulnerability.

source: https://www.onlyoffice.com/blog/2021/12/apache-log4j-security-bulletin-stay-safe-with-onlyoffice/

found the reference in this topic: Apache and Log4j, should Nextcloud servers be concerned?

onlyoffice docs that is used with nextcloud is unaffected. Workspace is
a different product.

And workspace uses elasticsearch in the same way that nextcloud does if
you enable fulltext search with elasticsearch backend. And it is the
elasicsearch part that is the problem here. Not onlyoffice workspace

/Johan

2021-12-20 14:32 skrev tflidd via Nextcloud community: