log4j CVE-2021-44228, does it affect Cpanel?

[cPanelPeter]

Good news everyone.

Our security team has just confirmed that cpanel-dovecot-solr is not in fact vulnerable to CVE-2021-45105 nor was it vulnerable to CVE-2021-45046.
Apache Solr’s mitigations and patches from the previous issues also covered this latest vulnerability.

Early patches from upstream and mitigations also protected our customers from this round of vulnerability.
In the log4j release, they stated the following: https://logging.apache.org/log4j/2.x/security.html

Log4j 2.x mitigation

Implement one of the following mitigation techniques:

• Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

• In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
• Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

Please note the line about the PatternLayout mitigation, along with the substitution of %X as a mitigating means.

When we look at Apache Solr’s guidance, you can see that the fix for the other vulns previously released would also cover this one due to the use of the %X Map pattern:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

Apache Solr releases are not vulnerable to the follow-up CVE-2021-45046 and CVE-2021-45105, because the MDC patterns used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized and injected into log files with "%X". Passing system property log4j2.formatMsgNoLookups=true (as described below) is suitable to mitigate.

So if you have already patched for CVE-2021-44228, you're also patched against CVE-2021-45046 and CVE-2021-45105.

 

[Handssler Lopez]

Or you could like I did and just remove SOLR. It's only been around a short while (as compared to how long cPanel has been around) and it's only use is to speed up IMAP searches i think. I doubt anyone's system is going to come to a crashing halt if they were to remove it. If you aren't running a 128 GB server and are running a small server, the server would probably breath a sigh of relief anyway (since SOLR is a memory hog).

I'll wait a few months before I install it on my servers. If my customers had to pick between slower IMAP searches (that they likely won't even notice) and something getting hacked, I'm sure they would choose slower IMAP searches.

The cPanel servers already have the security patch provided by cPanel for Solr. apache Tomcat disabled.

Question how much has the search speed in Imap accounts been reduced?

I have several email accounts (individual), let's say more than 300, these are divided into different cPanel users with 15, 20 and even 50Gb of emails, how affected is the user in these cases? these users make searches even months or even years after sometimes.

I have an account that has 57,000 - 16GB emails of 4 years, I use thunderbird (thunderbird indexes them so the search is fast, but Outlook does not do it so it synchronizes with the server any filtering) but there are times that I use Horde or RounCube.

If this account is configured in Outlook and Solr is disabled, how severe would the impact be?

If only one client / cPanel account has many emails, imap would talk to the client and disable Solr, but in this case, since there are several email accounts, I wonder how much it would affect the end user.

I really appreciate your answer, to be able to make the decision and take the test.

 

[Handssler Lopez]

Good news everyone.

Our security team has just confirmed that cpanel-dovecot-solr is not in fact vulnerable to CVE-2021-45105 nor was it vulnerable to CVE-2021-45046.
Apache Solr’s mitigations and patches from the previous issues also covered this latest vulnerability.

Early patches from upstream and mitigations also protected our customers from this round of vulnerability.
In the log4j release, they stated the following: https://logging.apache.org/log4j/2.x/security.html



Please note the line about the PatternLayout mitigation, along with the substitution of %X as a mitigating means.

When we look at Apache Solr’s guidance, you can see that the fix for the other vulns previously released would also cover this one due to the use of the %X Map pattern:
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228



So if you have already patched for CVE-2021-44228, you're also patched against CVE-2021-45046 and CVE-2021-45105.

Thanks for the update!

 

[mtindor]

The cPanel servers already have the security patch provided by cPanel for Solr. apache Tomcat disabled.

Question how much has the search speed in Imap accounts been reduced?

I have several email accounts (individual), let's say more than 300, these are divided into different cPanel users with 15, 20 and even 50Gb of emails, how affected is the user in these cases? these users make searches even months or even years after sometimes.

I have an account that has 57,000 - 16GB emails of 4 years, I use thunderbird (thunderbird indexes them so the search is fast, but Outlook does not do it so it synchronizes with the server any filtering) but there are times that I use Horde or RounCube.

If this account is configured in Outlook and Solr is disabled, how severe would the impact be?

If only one client / cPanel account has many emails, imap would talk to the client and disable Solr, but in this case, since there are several email accounts, I wonder how much it would affect the end user.

I really appreciate your answer, to be able to make the decision and take the test.

I'm not qualified to give you an answer. I did not run SOLR on my older machines because it is a memory hog. On my newest machine I installed it in August. I didn't bother to test IMAP searching, and I didn't notice any speed increase when searching an IMAP folder on the rare occasion that I was doing so and never had a customer say "hey, iMAP searches suddenly became faster, what did you do?"

Mike