0
Answered

Does the log4j vulnerability have any impact on filerun?

Jankees S 12 months ago updated by Vlad R 9 months ago 2

Does this Java-based vulnerability CVE-2021-44228, a critical zero-day vulnerability related to Apache Log4j Java logging library have any impact on filerun?

thx

Answered

Running a simple FileRun installation, there shouldn't be any worries at all.

It is however unclear at this moment if ElasticSearch, Apache Tika and LibreOffice, which can be used with FileRun, are vulnerable.

+1

Elasticsearch statement

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Elasticsearch is not susceptible to remote code execution with this
vulnerability due to our use of the Java Security Manager. Elasticsearch
on JDK8 or below is susceptible to an information leak via DNS which is
fixed by a simple JVM property change. The information leak does not
permit access to data within the Elasticsearch cluster. We will also
release a new version of Elasticsearch that contains the JVM property by
default and removes certain components of Log4j out of an abundance of
caution. Additional details below.

Patched in version 7.16.1 / 6.8.21

https://www.elastic.co/guide/en/elasticsearch/reference/7.16/release-notes-7.16.1.html

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/release-notes-6.8.21.html


Tika is vulnerable and is patched in v2.1.1

https://issues.apache.org/jira/browse/TIKA-3616

This says LibreOffice is not vulnerable, but I don't know how official that is

https://ask.libreoffice.org/t/is-the-log4j-vulnerability-applicable-to-libre-office-6-4-7-2/71548