log4j CVE-2021-44228, does it affect Cpanel?
-
Yes, it does. If you are using the cPanel Solr plugin - you need to uninstall it for the moment as it is potentially vulnerable. 0 -
cpanel-dovecot-solr listens only on localhost. It is not publicly accessible. The only way to interact with it is via IMAP search, and IMAP obviously requires authentication, so it seems safe to leave in-place to me. Technically you could exploit this if you have local shell access, so maybe for large Shared Servers providing shell access, it might be prudent to disable cpanel-dovecot-solr, but beyond that I don't see a concern. It runs as an unprivileged user too, so even in that case, I really don't see a concern. EasyApache 4 can supply Tomcat though, which would be a larger potential concern. It's not installed by default, and you should be aware of this CVE already if you're running Tomcat. 0 -
We have published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr
RPM. Obtaining the Mitigation for CVE-2021-44228 You can run a cPanel Update which will update thecpanel-dovecot-solr
RPM for you: How to Install cPanel Solr Verifying That You Have The Mitigation In Place 1. Login to the server via SSH or Terminal as the root user 2. Issue the following command:rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455
If the mitigation has been successfully added to your server you will see the following output:# rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455 * Fri Dec 10 2021 Tim Mullin - 8.8.2-4.cp1180 - CPANEL-39455: Add mitigation for CVE-2021-44228
Other log4j Related Software The cPanel Solr plugin is the only software provided and supported by cPanel that contains log4j. Any other log4j related software that may be installed on your server would have been installed via a third party process. If you need assistance with updating or managing third party software, you could start your search for a third party systems admininstrator with the following resource:0 -
So if dovecot-solr is not installed we are good? (as far as cPanel supports software) 0 -
[root@eldborg ~]# rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455 [root@eldborg ~]# yum update cpanel-dovecot-solr Package(s) cpanel-dovecot-solr available, but not installed. Not installed thus not vulnerable and that makes me feel just dandy.. 0 -
EasyApache 4 can supply Tomcat though, which would be a larger potential concern. It's not installed by default, and you should be aware of this CVE already if you're running Tomcat.
I don't think we have Tomcat running on our servers, but I need to do an audit. If I were to run a scan on a host what EA4 packages should I look for? Are there updates for the Tomcat packages via cPanel/EA4 or should I just remove the packages? Best regards, Eric0 -
This should check for the patch, show if cpanel-dovecot-solr is not installed, and check for Tomcat, I think: rpm -q --changelog cpanel-dovecot-solr | grep -B1 "\(CPANEL-39455\|not installed\)" && systemctl status tomcat && echo Done
-Michael0 -
Is there a way to check if a server is currently using cpanel-dovecot-solr ? 0 -
Could we please have a more in-depth statement about what has been done to mitigate the vulnerability? This suggests cpanel-dovecot-solr is still using log4j version 2.13: # ll /home/cpanelsolr/server/lib/ext/log4j-core*jar -rw-r--r-- 1 cpanelsolr cpanelsolr 1693950 2021-12-10 23:29 /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
Apache states that for full mitigation an upgrade to 2.16 is required, and that other mitigation measures do not fully protect against the vulnerability [1] Thanks. [1] Log4j " Apache Log4j Security Vulnerabilities0 -
I don't think we have Tomcat running on our servers, but I need to do an audit. If I were to run a scan on a host what EA4 packages should I look for? Are there updates for the Tomcat packages via cPanel/EA4 or should I just remove the packages? Best regards, Eric
To check for Tomcat in WHM use the EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). Tomcat appears in the Additional Packages section if it is available. If it is not selected (installed) the switch will be gray. This may be of use: CVE-2021-44228 - Log4Shell Vulnerability0 -
Could we please have a more in-depth statement about what has been done to mitigate the vulnerability? This suggests cpanel-dovecot-solr is still using log4j version 2.13:
# ll /home/cpanelsolr/server/lib/ext/log4j-core*jar -rw-r--r-- 1 cpanelsolr cpanelsolr 1693950 2021-12-10 23:29 /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
Apache states that for full mitigation an upgrade to 2.16 is required, and that other mitigation measures do not fully protect against the vulnerability [1] Thanks. [1]
Ditto! I was just about to post the same question. I am showing the cPanel patch for 44228, but also still see log4j is at v 2.13.2. When will 2.16.0 install, and are we FULLY patched until it does? "Since this article was published, a further CVE,0 -
There is another update available: cpanel-dovecot-solr.noarch 0:8.8.2-5.12.1.cpanel. rpm -q --changelog cpanel-dovecot-solr | head * Tue Dec 14 2021 Stephen Bee - 8.8.2-5.cp1180 - Remove JndiLookup.class from log4j to mitigate CVE-2021-450460 -
Any update from cPanel team? 2.17.0 should be safe, not 2.16.0 which you released: [QUOTE]Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
0 -
We are currently testing the patch for CVE-2021-45105 (Log4j 2.17.0). Hope to have it ready sometime today. You can test with the following one-liner: rpm -q cpanel-dovecot-solr | grep -q 'is not installed' && echo "cpanel-dovecot-solr is not installed - no action is necessary" || rpm -q cpanel-dovecot-solr --changelog | egrep -B1 'CVE-2021-44228|CVE-2021-45046|CVE-2021-45105'
Right now, two cases should be returned in the changelog if you have updated. (CVE-2021-4228 and CVE-2021-45046). After we patch, you should then also see CVE-2021-45105 in the changelog. Example [QUOTE] * Tue Dec 14 2021 Stephen Bee - 8.8.2-5.cp1180 - Remove JndiLookup.class from log4j to mitigate CVE-2021-45046 -- * Fri Dec 10 2021 Tim Mullin - 8.8.2-4.cp1180 - CPANEL-39455: Add mitigation for CVE-2021-44228
If you see no output at all, then your server is vulnerable and you should update as soon as possible.yum update -y cpanel-dovecot-solr0 -
Or you could like I did and just remove SOLR. It's only been around a short while (as compared to how long cPanel has been around) and it's only use is to speed up IMAP searches i think. I doubt anyone's system is going to come to a crashing halt if they were to remove it. If you aren't running a 128 GB server and are running a small server, the server would probably breath a sigh of relief anyway (since SOLR is a memory hog). I'll wait a few months before I install it on my servers. If my customers had to pick between slower IMAP searches (that they likely won't even notice) and something getting hacked, I'm sure they would choose slower IMAP searches. 0 -
Good news everyone. Our security team has just confirmed that cpanel-dovecot-solr is not in fact vulnerable to CVE-2021-45105 nor was it vulnerable to CVE-2021-45046. Apache Solr"s mitigations and patches from the previous issues also covered this latest vulnerability. Early patches from upstream and mitigations also protected our customers from this round of vulnerability. In the log4j release, they stated the following:
So if you have already patched for CVE-2021-44228, you're also patched against CVE-2021-45046 and CVE-2021-45105.0 -
Or you could like I did and just remove SOLR. It's only been around a short while (as compared to how long cPanel has been around) and it's only use is to speed up IMAP searches i think. I doubt anyone's system is going to come to a crashing halt if they were to remove it. If you aren't running a 128 GB server and are running a small server, the server would probably breath a sigh of relief anyway (since SOLR is a memory hog). I'll wait a few months before I install it on my servers. If my customers had to pick between slower IMAP searches (that they likely won't even notice) and something getting hacked, I'm sure they would choose slower IMAP searches.
The cPanel servers already have the security patch provided by cPanel for Solr. apache Tomcat disabled. Question how much has the search speed in Imap accounts been reduced? I have several email accounts (individual), let's say more than 300, these are divided into different cPanel users with 15, 20 and even 50Gb of emails, how affected is the user in these cases? these users make searches even months or even years after sometimes. I have an account that has 57,000 - 16GB emails of 4 years, I use thunderbird (thunderbird indexes them so the search is fast, but Outlook does not do it so it synchronizes with the server any filtering) but there are times that I use Horde or RounCube. If this account is configured in Outlook and Solr is disabled, how severe would the impact be? If only one client / cPanel account has many emails, imap would talk to the client and disable Solr, but in this case, since there are several email accounts, I wonder how much it would affect the end user. I really appreciate your answer, to be able to make the decision and take the test.0 -
Good news everyone. Our security team has just confirmed that cpanel-dovecot-solr is not in fact vulnerable to CVE-2021-45105 nor was it vulnerable to CVE-2021-45046. Apache Solr"s mitigations and patches from the previous issues also covered this latest vulnerability. Early patches from upstream and mitigations also protected our customers from this round of vulnerability. In the log4j release, they stated the following:
0 -
The cPanel servers already have the security patch provided by cPanel for Solr. apache Tomcat disabled. Question how much has the search speed in Imap accounts been reduced? I have several email accounts (individual), let's say more than 300, these are divided into different cPanel users with 15, 20 and even 50Gb of emails, how affected is the user in these cases? these users make searches even months or even years after sometimes. I have an account that has 57,000 - 16GB emails of 4 years, I use thunderbird (thunderbird indexes them so the search is fast, but Outlook does not do it so it synchronizes with the server any filtering) but there are times that I use Horde or RounCube. If this account is configured in Outlook and Solr is disabled, how severe would the impact be? If only one client / cPanel account has many emails, imap would talk to the client and disable Solr, but in this case, since there are several email accounts, I wonder how much it would affect the end user. I really appreciate your answer, to be able to make the decision and take the test.
I'm not qualified to give you an answer. I did not run SOLR on my older machines because it is a memory hog. On my newest machine I installed it in August. I didn't bother to test IMAP searching, and I didn't notice any speed increase when searching an IMAP folder on the rare occasion that I was doing so and never had a customer say "hey, iMAP searches suddenly became faster, what did you do?" Mike0
Please sign in to leave a comment.
Comments
22 comments