Symptoms
A vulnerability for Log4j was announced in CVE-2021-45046 and you want to ensure your server is secure as soon as a patch is published.
Description
This vulnerability affects the cpanel-dovecot-solr RPM that is provided by The install_dovecot_fts Script. As the cPanel Solr plugin only listens locally, this vulnerability can only be exploited by a local user and is not vulnerable externally.
No other cPanel-provided packages are affected by this vulnerability and if cpanel-dovecot-solr is not installed there are no further steps needed.
An internal case for our development team to investigate this further has been filed. For reference, the case number is CPANEL-39528. Follow this article to receive an email notification when a solution is published in the product.
Workaround
The only service provided by the cPanel software bundle that uses the logging utility Log4j is cpanel-dovecot-solr. If you do not have this installed, then your server is secure. Any new installations of Dovecot_FTS will include the patched RPM by default once the new version is published. You can check if this RPM is installed with the following command.
Example if installed:
# rpm -q cpanel-dovecot-solr
cpanel-dovecot-solr-8.8.2-5.12.1.cpanel.noarch
We have published an update with the mitigation for CVE-2021-45046 to the cpanel-dovecot-solr RPM in version 8.8.2-5.12.1 and higher. This patch will automatically be applied during the nightly updates if this package is installed. You can confirm if your server is patched by using the following command.
rpm -qv --changelog cpanel-dovecot-solr|grep "CVE-2021-45046"
Example output on a patched server:
# rpm -qv --changelog cpanel-dovecot-solr|grep "CVE-2021-45046"
- Remove JndiLookup.class from log4j to mitigate CVE-2021-45046
If the package is installed and does not show the patch information in the above command, you can perform an update using the following command.
yum update cpanel-dovecot-solr
For CVE-2021-44228, please see the following article.