Protect NCP from Log4shell - disable of log4j


How to disable log4j in apache used by NCP?
Or can we update to a version that is not susceptible to the vulnerability?

1 Like

Hi @dvpfig

The Apache HTTP server does not contain or use log4j. If it is installed on your system, it probably came with some 3rd party Java app. Whether NCP uses it for anything I don’t know, but I doubt it. Nextcloud itself or the Apache web server do definitely not use it.

You may find my below post useful:

I took this opportunity to add some information on mitigation i.e. disabling log4j in my o.m. article.

Happy hacking.

1 Like


I identified which program was the culprit and I can confirm that it was not the NCP or NC that had the log4j installed in my machine.

1 Like


I check my nextcloud proxmox container today with

root@nextcloud:~# dpkg --list | grep log4j
ii  liblog4j1.2-java                      1.2.17-10                                          all          Logging library for java

but I hjave no idea how this
liblog4j1.2-java has arrived in here
How can I know that. Normaly I only installed nextcloud, nginx php-fpm and other php needed extension.
Could it be a nextcloud app?
How can I know which one?
How can I be sure if it is safe (for my nextcloud) to uninstall liblog4j1.2-java ?

I doubt that this is coming from a Nextcloud app because the Nextcloud AppStore does not use the package manager of your OS and therefore you wouldn’t find it with the dpkg command. This was most likely installed via apt as a dependency for some other package you have installed.


You can try to find the packages that depend on it with the apt-rdepends command…

apt-rdepends -rp liblog4j1.2-java

if you only want it to show packages that are actually installed try:

apt-rdepends -rp liblog4j1.2-java | grep "Installed" | grep -v "NotInstalled"

If this does list nothing, I would uninstall it by using apt

apt remove liblog4j1.2-java

I see. My worry is that in this container, I should have found only what is needed for nextcloud…

What container did you use extactley in Proxmox… A plain LXC Debian or Ubuntu container or the turnkey nextcloud container?

Well, I found the guilty one
libapache-poi-java* liblayout-java* liblog4j1.2-java* libreoffice-report-builder*

I guess it is linked to collabora online or something like that…

Now that I have a CT dedicated to collabora, I uninstalled ```

then I did an apt autoremove --purge

and we'll see if everything is still working smoothly

Yes, it is a classic LXC CT.