log4j CVE-2021-44228, does it affect Cpanel?

[weetabix]

Newly found CVE with 10 rating found. Does it affect us with cpanel in any way?

Critical RCE Vulnerability: log4j - CVE-2021-44228

Our team is currently investigating CVE-2021-44228, a critical vulnerability that’s affecting a Java logging package.

www.huntress.com

 

[jacobcolton]

Yes, it does.

If you are using the cPanel Solr plugin - you need to uninstall it for the moment as it is potentially vulnerable.

 

[natenate19]

cpanel-dovecot-solr listens only on localhost. It is not publicly accessible. The only way to interact with it is via IMAP search, and IMAP obviously requires authentication, so it seems safe to leave in-place to me. Technically you could exploit this if you have local shell access, so maybe for large Shared Servers providing shell access, it might be prudent to disable cpanel-dovecot-solr, but beyond that I don't see a concern. It runs as an unprivileged user too, so even in that case, I really don't see a concern.

EasyApache 4 can supply Tomcat though, which would be a larger potential concern. It's not installed by default, and you should be aware of this CVE already if you're running Tomcat.

 

[cPanelAustin]

We have published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM.

Obtaining the Mitigation for CVE-2021-44228

You can run a cPanel Update which will update the cpanel-dovecot-solr RPM for you:
How to update cPanel/WHM

Alternatively you could update just the cpanel-dovecot-solr RPM via YUM as the root user with the following command:
yum update cpanel-dovecot-solr

If you previously uninstalled cPanel Solr, you may install it again with the steps in this guide
How to Install cPanel Solr

Verifying That You Have The Mitigation In Place

1. Login to the server via SSH or Terminal as the root user
2. Issue the following command:
rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455

If the mitigation has been successfully added to your server you will see the following output:

# rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455
* Fri Dec 10 2021 Tim Mullin <[email protected]> -  8.8.2-4.cp1180
- CPANEL-39455: Add mitigation for CVE-2021-44228

Other log4j Related Software

The cPanel Solr plugin is the only software provided and supported by cPanel that contains log4j.

Any other log4j related software that may be installed on your server would have been installed via a third party process. If you need assistance with updating or managing third party software, you could start your search for a third party systems admininstrator with the following resource:
System Administration Services

 

[turbo2ltr]

So if dovecot-solr is not installed we are good? (as far as cPanel supports software)

 

[Steini Petur]

[[email protected] ~]# rpm -q --changelog cpanel-dovecot-solr | grep -B1 CPANEL-39455
[[email protected] ~]# yum update cpanel-dovecot-solr
Package(s) cpanel-dovecot-solr available, but not installed.

Not installed thus not vulnerable

and that makes me feel just dandy..

 

[Deleted member 1020609]

In case we cannot immediately update dovecot-solr and/or cpanel i read the following:
"Also, as a way to mitigate the impact of the vulnerability, in version 2.10 or later, specify “log4j2.formatMsgNoLookups” in the system properties, or change the environment variable “LOG4J FORMAT MSG NO LOOKUPS” to “true”, 2.0- For versions prior to beta 9 to 2.10, remove the “JndiLookup” class from the classpath “zip -q -d log4j-core-*.jar org / apache / logging / log4j / core / lookup / JndiLookup.class” Introducing that."
Is it valid and can be applied?

 

[sozotech]

EasyApache 4 can supply Tomcat though, which would be a larger potential concern. It's not installed by default, and you should be aware of this CVE already if you're running Tomcat.

I don't think we have Tomcat running on our servers, but I need to do an audit. If I were to run a scan on a host what EA4 packages should I look for? Are there updates for the Tomcat packages via cPanel/EA4 or should I just remove the packages?

Best regards,
Eric

 

[mvandemar]

This should check for the patch, show if cpanel-dovecot-solr is not installed, and check for Tomcat, I think:

rpm -q --changelog cpanel-dovecot-solr | grep -B1 "\(CPANEL-39455\|not installed\)" && systemctl status tomcat && echo Done

-Michael

 

[kabatak]

Is there a way to check if a server is currently using cpanel-dovecot-solr ?

 

[bouvrie]

Related, is CVE-2021-45046 an issue?

 

[phil99]

Could we please have a more in-depth statement about what has been done to mitigate the vulnerability?

This suggests cpanel-dovecot-solr is still using log4j version 2.13:

# ll /home/cpanelsolr/server/lib/ext/log4j-core*jar
-rw-r--r-- 1 cpanelsolr cpanelsolr 1693950 2021-12-10 23:29 /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar

Apache states that for full mitigation an upgrade to 2.16 is required, and that other mitigation measures do not fully protect against the vulnerability [1]

Thanks.

[1] Log4j – Apache Log4j Security Vulnerabilities

 

[PeteS]

I don't think we have Tomcat running on our servers, but I need to do an audit. If I were to run a scan on a host what EA4 packages should I look for? Are there updates for the Tomcat packages via cPanel/EA4 or should I just remove the packages?

Best regards,
Eric

To check for Tomcat in WHM use the EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). Tomcat appears in the Additional Packages section if it is available. If it is not selected (installed) the switch will be gray.

This may be of use: CVE-2021-44228 - Log4Shell Vulnerability

 

[PeteS]

Could we please have a more in-depth statement about what has been done to mitigate the vulnerability?

This suggests cpanel-dovecot-solr is still using log4j version 2.13:

# ll /home/cpanelsolr/server/lib/ext/log4j-core*jar
-rw-r--r-- 1 cpanelsolr cpanelsolr 1693950 2021-12-10 23:29 /home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar

Apache states that for full mitigation an upgrade to 2.16 is required, and that other mitigation measures do not fully protect against the vulnerability [1]

Thanks.

[1] Log4j – Apache Log4j Security Vulnerabilities

Ditto! I was just about to post the same question. I am showing the cPanel patch for 44228, but also still see log4j is at v 2.13.2. When will 2.16.0 install, and are we FULLY patched until it does?

"Since this article was published, a further CVE, CVE-2021-45046 has been made public, and the previous mitigation of setting log4j2.noFormatMsgLookup to true does not guard against this. Users are advised to update log4j2 to 2.16.0. " (From CVE-2021-44228 - Log4Shell Vulnerability)

 

[phil99]

There is another update available: cpanel-dovecot-solr.noarch 0:8.8.2-5.12.1.cpanel.

rpm -q --changelog cpanel-dovecot-solr | head
* Tue Dec 14 2021 Stephen Bee <[email protected]> - 8.8.2-5.cp1180
- Remove JndiLookup.class from log4j to mitigate CVE-2021-45046

 

[manager23]

Until cPanel releases updates to the relevant RPM packages, I needed a temporary fix.
Using the suggestion (from here: NVD - CVE-2021-45046) to remove the JndiLookup class from log4j, I think we may be able to remove the vulnerability by issueing this command as root (otherwise prefix both lines with "sudo "):

find / -name 'log4j-core*.jar' -type f | xargs -I % sh -c 'echo "%"; cp -a "%" "%.orig"; unzip -t "%" | grep JndiLookup.class; zip -q -d "%" org/apache/logging/log4j/core/lookup/JndiLookup.class; chown cpanelsolr. "%"; unzip -t "%" | grep -q JndiLookup.class || echo "JndiLookup.class succesfully removed"';
service cpanel-dovecot-solr restart

This does the following:

1. Finds all files matching 'log4j-core*.jar' and for each file...
2. prints the file name
3. make a spare copy of the file by adding ".orig"
4. checks via unzip if it contains a file JndiLookup.class
5. use zip to remove that JndiLookup.class file from the jar file.
6. change ownership back to cpanelsolr (because the zip command changes it to root)
7. check again with unzip if the JndiLookup.class is now really gone.
8. restart the cpanel-dovecot-solr service

If you're getting this, you don't have cpanel-dovecot-solr installed:

Redirecting to /bin/systemctl restart cpanel-dovecot-solr.service
Failed to restart cpanel-dovecot-solr.service: Unit not found.

If you're getting this (ignore the lines with /proc/ in it), you've temporarily fixed the issue for cpanel-dovecot-solr (until we get an official RPM update from cPanel):

find: ‘/proc/12531’: No such file or directory
/home/cpanelsolr/server/lib/ext/log4j-core-2.13.2.jar
    testing: org/apache/logging/log4j/core/lookup/JndiLookup.class   OK
JndiLookup.class succesfully removed
/home/cpanelsolr/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar
    testing: org/apache/logging/log4j/core/lookup/JndiLookup.class   OK
JndiLookup.class succesfully removed
Redirecting to /bin/systemctl restart cpanel-dovecot-solr.service

Beware: if it finds log4j-core-*.jar files in locations other than /home/cpanelsolr/ then you may have to restart other services as well. The file location might put you on the right track to find which services.

edit: I see that updated RPMs are available now, BUT, I still see this file containing JndiLookup.class: /home/cpanelsolr/contrib/prometheus-exporter/lib/log4j-core-2.13.2.jar. Not sure if that matters or not, but the suggested fix above handles that as well.

 

[phil99]

Advisory here:

https://support.cpanel.net/hc/en-us/articles/4415987808023-ApacheSolr-vulnerability-CVE-2021-45046-for-Log4j

 

[Hedloff]

Any update from cPanel team?
2.17.0 should be safe, not 2.16.0 which you released:

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Log4j – Apache Log4j Security Vulnerabilities

CVE - CVE-2021-45105

 

[cPanelPeter]

We are currently testing the patch for CVE-2021-45105 (Log4j 2.17.0). Hope to have it ready sometime today.

You can test with the following one-liner:

rpm -q cpanel-dovecot-solr | grep -q 'is not installed' && echo "cpanel-dovecot-solr is not installed - no action is necessary" || rpm -q cpanel-dovecot-solr --changelog | egrep -B1 'CVE-2021-44228|CVE-2021-45046|CVE-2021-45105'

Right now, two cases should be returned in the changelog if you have updated. (CVE-2021-4228 and CVE-2021-45046). After we patch, you should then also see CVE-2021-45105 in the changelog. Example

* Tue Dec 14 2021 Stephen Bee <[email protected]> - 8.8.2-5.cp1180
- Remove JndiLookup.class from log4j to mitigate CVE-2021-45046
--
* Fri Dec 10 2021 Tim Mullin <[email protected]> - 8.8.2-4.cp1180
- CPANEL-39455: Add mitigation for CVE-2021-44228

If you see no output at all, then your server is vulnerable and you should update as soon as possible.

yum update -y cpanel-dovecot-solr

 

[mtindor]

Or you could like I did and just remove SOLR. It's only been around a short while (as compared to how long cPanel has been around) and it's only use is to speed up IMAP searches i think. I doubt anyone's system is going to come to a crashing halt if they were to remove it. If you aren't running a 128 GB server and are running a small server, the server would probably breath a sigh of relief anyway (since SOLR is a memory hog).

I'll wait a few months before I install it on my servers. If my customers had to pick between slower IMAP searches (that they likely won't even notice) and something getting hacked, I'm sure they would choose slower IMAP searches.