Official Red Hat log4j checker finds positive

[jeffschips]

Hello. I hope everyone is safe and healthy.

Here is a link to a red hat checker:

RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228) - Red Hat Customer Portal

Access Red Hat’s knowledge, guidance, and support through your subscription.

access.redhat.com

scroll down and download.

When I ran it I found the following in a cache directory, does anyone know what these results means and how to mitigate? I've since changed permissions on that directory blocking any public access.

The script only spits out this information, or if nothing found, says so. In this case it reported these CVE.

CVE_2021_44228_backtrack
CVE_2021_44228_catalog
CVE_2021_44228_decompressed
CVE_2021_44228_detections
CVE_2021_44228_parents
CVE_2021_44228_queue

 

[cPanelAnthony]

Hello!

On Friday, December 10, 2021, a vulnerability for Log4j was announced in CVE-2021-44228.

The only service provided by the cPanel software that uses the logging utility Log4j is cpanel-dovecot-solr. If you do not have this installed, then your server is secure.

The same day the vulnerability was announced, we published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM in version 8.8.2-4+. This patch will automatically be applied during the nightly updates if this package is installed. On new installations of Dovecot_FTS it will include the patched RPM by default.

You can check if this RPM is installed by running the following command.

On RPM based versions:

rpm -q cpanel-dovecot-solr --changelog | grep CVE-2021-44228

On Ubuntu based versions:

zgrep -E CVE-2021-44228 /usr/share/doc/cpanel-dovecot-solr/changelog.Debian.gz

Example if installed:

rpm -q cpanel-dovecot-solr
cpanel-dovecot-solr-8.8.2-4.11.1.cpanel.noarch

Please let us know if you have any questions.

 

[jeffschips]

Elasticsearch is identified as one of the vulnerable apps. I believe Horde is part of cpanel. Any concern?

/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/COPYING
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples/add.php
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples/count.php
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples/get.php
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples/map.php
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples/search.php
/usr/share/doc/cpanel-php73-horde-elasticsearch-1.0.4/examples/status.php

 

[spaceman]

The only service provided by the cPanel software that uses the logging utility Log4j is cpanel-dovecot-solr. If you do not have this installed, then your server is secure.

If it's not a dumb question... surely it's possible that software NOT provided by cPanel, which DOES include the affected Log4j software, has been installed on cPanel servers?

If this is the case, then surely it's not strictly true to state that "If you do not have this (cpanel-dovecot-solr) installed, then your server is secure."

?

 

[cPanelAnthony]

If it's not a dumb question... surely it's possible that software NOT provided by cPanel, which DOES include the affected Log4j software, has been installed on cPanel servers?

If this is the case, then surely it's not strictly true to state that "If you do not have this (cpanel-dovecot-solr) installed, then your server is secure."

?

My apologies for the reductive statement. I simply mean that the support cPanel-side aspects of the server would be secure.