Protect NCP from Log4shell - disable of log4j

dvpfig · December 11, 2021, 8:39am

Hi,

How to disable log4j in apache used by NCP?
Or can we update to a version that is not susceptible to the vulnerability?

bb77 · December 11, 2021, 11:23am

The Apache HTTP server does not contain or use log4j. If it is installed on your system, it probably came with some 3rd party Java app. Whether NCP uses it for anything I don’t know, but I doubt it. Nextcloud itself or the Apache web server do definitely not use it.

TP75 · December 11, 2021, 1:23pm

You may find my below post useful:

I took this opportunity to add some information on mitigation i.e. disabling log4j in my o.m. article.

Happy hacking.

dvpfig · December 11, 2021, 2:15pm

thanks.

I identified which program was the culprit and I can confirm that it was not the NCP or NC that had the log4j installed in my machine.

Thatoo · December 14, 2021, 9:56am

Hello,

I check my nextcloud proxmox container today with

root@nextcloud:~# dpkg --list | grep log4j
ii  liblog4j1.2-java                      1.2.17-10                                          all          Logging library for java
root@nextcloud:~#

but I hjave no idea how this
liblog4j1.2-java has arrived in here
How can I know that. Normaly I only installed nextcloud, nginx php-fpm and other php needed extension.
Could it be a nextcloud app?
How can I know which one?
How can I be sure if it is safe (for my nextcloud) to uninstall liblog4j1.2-java ?

bb77 · December 14, 2021, 12:15pm

I doubt that this is coming from a Nextcloud app because the Nextcloud AppStore does not use the package manager of your OS and therefore you wouldn’t find it with the dpkg command. This was most likely installed via apt as a dependency for some other package you have installed.

Addition:

You can try to find the packages that depend on it with the apt-rdepends command…

apt-rdepends -rp liblog4j1.2-java

if you only want it to show packages that are actually installed try:

apt-rdepends -rp liblog4j1.2-java | grep "Installed" | grep -v "NotInstalled"

If this does list nothing, I would uninstall it by using apt

apt remove liblog4j1.2-java

Thatoo · December 14, 2021, 1:51pm

I see. My worry is that in this container, I should have found only what is needed for nextcloud…

bb77 · December 14, 2021, 2:05pm

What container did you use extactley in Proxmox… A plain LXC Debian or Ubuntu container or the turnkey nextcloud container?

Thatoo · December 14, 2021, 2:28pm

Well, I found the guilty one
libapache-poi-java* liblayout-java* liblog4j1.2-java* libreoffice-report-builder*

I guess it is linked to collabora online or something like that…

Thatoo · December 14, 2021, 2:31pm

Now that I have a CT dedicated to collabora, I uninstalled ```
liblog4j1.2-java

then I did an apt autoremove --purge

and we'll see if everything is still working smoothly

Yes, it is a classic LXC CT.