log4j CVE-2021-44228, does it affect Cpanel?

jacobcolton

Member
Jan 27, 2005
12
2
153
Yes, it does.

If you are using the cPanel Solr plugin - you need to uninstall it for the moment as it is potentially vulnerable.
 

natenate19

Member
Jun 18, 2015
9
3
53
Michigan
cPanel Access Level
Root Administrator
cpanel-dovecot-solr listens only on localhost. It is not publicly accessible. The only way to interact with it is via IMAP search, and IMAP obviously requires authentication, so it seems safe to leave in-place to me. Technically you could exploit this if you have local shell access, so maybe for large Shared Servers providing shell access, it might be prudent to disable cpanel-dovecot-solr, but beyond that I don't see a concern. It runs as an unprivileged user too, so even in that case, I really don't see a concern.

EasyApache 4 can supply Tomcat though, which would be a larger potential concern. It's not installed by default, and you should be aware of this CVE already if you're running Tomcat.
 

cPanelAustin

Linux Technical Analyst II
Staff member
Dec 4, 2017
25
8
78
Houston Tx
cPanel Access Level
Root Administrator
We have published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM.

Obtaining the Mitigation for CVE-2021-44228

You can run a cPanel Update which will update the cpanel-dovecot-solr RPM for you:
How to update cPanel/WHM

Alternatively you could update just the cpanel-dovecot-solr RPM via YUM as the root user with the following command:
yum update cpanel-dovecot-solr

If you previously uninstalled cPanel Solr, you may install it again with the steps in this guide
How to Install cPanel Solr

Verifying That You Have The Mitigation In Place

1. Login to the server via SSH or Terminal as the root user
2. Issue the following command:
rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455

If the mitigation has been successfully added to your server you will see the following output:
Code:
# rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455
* Fri Dec 10 2021 Tim Mullin <[email protected]> -  8.8.2-4.cp1180
- CPANEL-39455: Add mitigation for CVE-2021-44228

Other log4j Related Software

The cPanel Solr plugin is the only software provided and supported by cPanel that contains log4j.

Any other log4j related software that may be installed on your server would have been installed via a third party process. If you need assistance with updating or managing third party software, you could start your search for a third party systems admininstrator with the following resource:
System Administration Services
 

zgrek20

Member
Aug 28, 2020
14
0
1
Greece
cPanel Access Level
Root Administrator
In case we cannot immediately update dovecot-solr and/or cpanel i read the following:
"Also, as a way to mitigate the impact of the vulnerability, in version 2.10 or later, specify “log4j2.formatMsgNoLookups” in the system properties, or change the environment variable “LOG4J FORMAT MSG NO LOOKUPS” to “true”, 2.0- For versions prior to beta 9 to 2.10, remove the “JndiLookup” class from the classpath “zip -q -d log4j-core-*.jar org / apache / logging / log4j / core / lookup / JndiLookup.class” Introducing that."
Is it valid and can be applied?
 
Last edited:

sozotech

Well-Known Member
Jul 26, 2013
108
5
68
cPanel Access Level
Root Administrator
EasyApache 4 can supply Tomcat though, which would be a larger potential concern. It's not installed by default, and you should be aware of this CVE already if you're running Tomcat.
I don't think we have Tomcat running on our servers, but I need to do an audit. If I were to run a scan on a host what EA4 packages should I look for? Are there updates for the Tomcat packages via cPanel/EA4 or should I just remove the packages?

Best regards,
Eric
 

mvandemar

Well-Known Member
Jun 17, 2006
139
31
178
This should check for the patch, show if cpanel-dovecot-solr is not installed, and check for Tomcat, I think:

rpm -q --changelog cpanel-dovecot-solr | grep -B1 "\(CPANEL-39455\|not installed\)" && systemctl status tomcat && echo Done

-Michael
 

phil99

Active Member
Jun 10, 2018
37
11
8
UK
cPanel Access Level
Root Administrator
Could we please have a more in-depth statement about what has been done to mitigate the vulnerability?

This suggests cpanel-dovecot-solr is still using log4j version 2.13:

Code:
# ll /home/cpanelsolr/server/lib/ext/log4j-core*jar
-rw-r--r-- 1 cpanelsolr cpanelsolr 1693950 2021-12-10 23:29 /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
Apache states that for full mitigation an upgrade to 2.16 is required, and that other mitigation measures do not fully protect against the vulnerability [1]

Thanks.

[1] Log4j – Apache Log4j Security Vulnerabilities
 
  • Like
Reactions: PeteS

PeteS

Well-Known Member
Jun 8, 2017
239
49
28
Oregon
cPanel Access Level
Root Administrator
I don't think we have Tomcat running on our servers, but I need to do an audit. If I were to run a scan on a host what EA4 packages should I look for? Are there updates for the Tomcat packages via cPanel/EA4 or should I just remove the packages?

Best regards,
Eric
To check for Tomcat in WHM use the EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). Tomcat appears in the Additional Packages section if it is available. If it is not selected (installed) the switch will be gray.

This may be of use: CVE-2021-44228 - Log4Shell Vulnerability
 

PeteS

Well-Known Member
Jun 8, 2017
239
49
28
Oregon
cPanel Access Level
Root Administrator
Could we please have a more in-depth statement about what has been done to mitigate the vulnerability?

This suggests cpanel-dovecot-solr is still using log4j version 2.13:

Code:
# ll /home/cpanelsolr/server/lib/ext/log4j-core*jar
-rw-r--r-- 1 cpanelsolr cpanelsolr 1693950 2021-12-10 23:29 /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
Apache states that for full mitigation an upgrade to 2.16 is required, and that other mitigation measures do not fully protect against the vulnerability [1]

Thanks.

[1] Log4j – Apache Log4j Security Vulnerabilities
Ditto! I was just about to post the same question. I am showing the cPanel patch for 44228, but also still see log4j is at v 2.13.2. When will 2.16.0 install, and are we FULLY patched until it does?

"Since this article was published, a further CVE, CVE-2021-45046 has been made public, and the previous mitigation of setting log4j2.noFormatMsgLookup to true does not guard against this. Users are advised to update log4j2 to 2.16.0. " (From CVE-2021-44228 - Log4Shell Vulnerability)
 

phil99

Active Member
Jun 10, 2018
37
11
8
UK
cPanel Access Level
Root Administrator
There is another update available: cpanel-dovecot-solr.noarch 0:8.8.2-5.12.1.cpanel.

Code:
rpm -q --changelog cpanel-dovecot-solr | head
* Tue Dec 14 2021 Stephen Bee <[email protected]> - 8.8.2-5.cp1180
- Remove JndiLookup.class from log4j to mitigate CVE-2021-45046
 

manager23

Member
Aug 13, 2013
9
0
51
cPanel Access Level
Root Administrator
Until cPanel releases updates to the relevant RPM packages, I needed a temporary fix.
Using the suggestion (from here: NVD - CVE-2021-45046) to remove the JndiLookup class from log4j, I think we may be able to remove the vulnerability by issueing this command as root (otherwise prefix both lines with "sudo "):

Code:
find / -name 'log4j-core*.jar' -type f | xargs -I % sh -c 'echo "%"; cp -a "%" "%.orig"; unzip -t "%" | grep JndiLookup.class; zip -q -d "%" org/apache/logging/log4j/core/lookup/JndiLookup.class; chown cpanelsolr. "%"; unzip -t "%" | grep -q JndiLookup.class || echo "JndiLookup.class succesfully removed"';
service cpanel-dovecot-solr restart
This does the following:
  1. Finds all files matching 'log4j-core*.jar' and for each file...
  2. prints the file name
  3. make a spare copy of the file by adding ".orig"
  4. checks via unzip if it contains a file JndiLookup.class
  5. use zip to remove that JndiLookup.class file from the jar file.
  6. change ownership back to cpanelsolr (because the zip command changes it to root)
  7. check again with unzip if the JndiLookup.class is now really gone.
  8. restart the cpanel-dovecot-solr service
If you're getting this, you don't have cpanel-dovecot-solr installed:

Code:
Redirecting to /bin/systemctl restart cpanel-dovecot-solr.service
Failed to restart cpanel-dovecot-solr.service: Unit not found.
If you're getting this (ignore the lines with /proc/ in it), you've temporarily fixed the issue for cpanel-dovecot-solr (until we get an official RPM update from cPanel):

Code:
find: ‘/proc/12531’: No such file or directory
/home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
    testing: org/apache/logging/log4j/core/lookup/JndiLookup.class   OK
JndiLookup.class succesfully removed
/home/cpanelsolr/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar
    testing: org/apache/logging/log4j/core/lookup/JndiLookup.class   OK
JndiLookup.class succesfully removed
Redirecting to /bin/systemctl restart cpanel-dovecot-solr.service
Beware: if it finds log4j-core-*.jar files in locations other than /home/cpanelsolr/ then you may have to restart other services as well. The file location might put you on the right track to find which services.

edit: I see that updated RPMs are available now, BUT, I still see this file containing JndiLookup.class: /home/cpanelsolr/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar. Not sure if that matters or not, but the suggested fix above handles that as well.
 
Last edited:

Hedloff

Well-Known Member
Jun 7, 2004
177
9
168
Up north!
cPanel Access Level
DataCenter Provider
Any update from cPanel team?
2.17.0 should be safe, not 2.16.0 which you released:
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
578
21
143
cPanel Access Level
Root Administrator
We are currently testing the patch for CVE-2021-45105 (Log4j 2.17.0). Hope to have it ready sometime today.

You can test with the following one-liner:

rpm -q cpanel-dovecot-solr | grep -q 'is not installed' && echo "cpanel-dovecot-solr is not installed - no action is necessary" || rpm -q cpanel-dovecot-solr --changelog | egrep -B1 'CVE-2021-44228|CVE-2021-45046|CVE-2021-45105'

Right now, two cases should be returned in the changelog if you have updated. (CVE-2021-4228 and CVE-2021-45046). After we patch, you should then also see CVE-2021-45105 in the changelog. Example

* Tue Dec 14 2021 Stephen Bee <[email protected]> - 8.8.2-5.cp1180
- Remove JndiLookup.class from log4j to mitigate CVE-2021-45046
--
* Fri Dec 10 2021 Tim Mullin <[email protected]> - 8.8.2-4.cp1180
- CPANEL-39455: Add mitigation for CVE-2021-44228
If you see no output at all, then your server is vulnerable and you should update as soon as possible.

yum update -y cpanel-dovecot-solr
 
  • Like
Reactions: mvandemar

mtindor

Well-Known Member
Sep 14, 2004
1,420
87
178
inside a catfish
cPanel Access Level
Root Administrator
Or you could like I did and just remove SOLR. It's only been around a short while (as compared to how long cPanel has been around) and it's only use is to speed up IMAP searches i think. I doubt anyone's system is going to come to a crashing halt if they were to remove it. If you aren't running a 128 GB server and are running a small server, the server would probably breath a sigh of relief anyway (since SOLR is a memory hog).

I'll wait a few months before I install it on my servers. If my customers had to pick between slower IMAP searches (that they likely won't even notice) and something getting hacked, I'm sure they would choose slower IMAP searches.