Advisory 2021-12/2 Impact of Apache Log4j2 Vulnerability on FileCloud Customers

Potential threat of arbitrary code execution through Apache Solr

Update History


  • January 6, 2022 FileCloud Version 21.3.0.18447 has been released. This version updates FileCloud to Log4j 2.17.0 which eliminates the vulnerability.
  • December 21, 2021 FileCloud customers who have updated to Server Patch 21.2.4.17315, which upgraded Log4j to Version 2.16.0, are fully protected from Log4j vulnerabilities. Since then, an additional vulnerability was found in Log4j 2.16.0. Although the new vulnerability does not affect FileCloud users, as a proactive measure, Version 21.3 of FileCloud will upgrade FileCloud to Log4j 2.17.0, which eliminates this vulnerability.
  • December 17, 2021 We published FileCloud Version 21.2.4.17315 which resolved the Log4j issue. 
    The recommended fix is to install FileCloud Version 21.2.4.17315; however, if you do not install Version 21.2.4.17315, please make the changes outlined below.
  • December 15, 2021 After a newer vulnerability report (CVE 2021-45046) was published, we created an automated tool that completely updated and verified the Log4j library in your install to the latest secure 2.16 version. The steps for running this tool are given below.
  • December 13, 2021 We sent out an update on the Apache Log4j security vulnerability and gave instructions for applying a workaround to secure your FileCloud server. Even if you applied this workaround, please perform the fix described in the above bullet point dated December 17, 2021 or in the bullet point dated December 15, 2021.


Security Advisory DateUpdated January 6, 2022 (originally published December 13, 2021)
Vulnerability TypeRemote code execution
Severity factors

High. Although Apache Solr is not directly exposed through external access, FileCloud uses Apache Solr which in turn uses the log4j library.

Versions affectedAll versions of FileCloud running Apache Solr 8.11.0 or below (all versions prior to FileCloud's 21.2.4 patch release)
Version fixed21.2.4.17315

Description

A critical vulnerability discovered recently in Apache Log4j may allow attackers to execute arbitrary code by sending formatted messages to the logger library. For content search, FileCloud uses Apache Solr which in turn uses the log4j library.

Fix

  • If you are using FileCloud on-premises, it is recommended that you update to the latest version, which is 21.2.4.17315 or greater. This will resolve the issue.
  • If you are using FileCloud on-premises and do not upgrade to version 21.2.4.17315 or greater, perform the following steps to resolve the issue:
    Please make these changes on FileCloud servers that Solr is running on:
    In Windows: 
    1. Open PowerShell as Administrator:
      Search in the Start menu for PowerShell, then right-click and select Run as administrator.
    2. In the PowerShell, go to the downloads directory

      PS C:\WINDOWS\system32> cd "$HOME\Downloads" 
    3. Setup execution permissions for the script

      Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    4. Download the Solr Log4j patch PowerShell script

      Invoke-WebRequest -Uri https://patch.codelathe.com/tonidocloud/live/3rdparty/solr/solrpatch.ps1 -OutFile .\solrpatch.ps1
    5. Execute the downloaded script 

      .\solrpatch.ps1

  • In Linux:
    1. Download the Solr Log4j patch.

      # wget https://patch.codelathe.com/tonidocloud/live/3rdparty/solr/solr_log4j_patch.sh
    2. Execute the downloaded script.

      # sudo bash ./solr_log4j_patch.sh

For Linux and Windows:

    • Once the above command completes, confirm that one of the following messages is displayed.

       Solr Log4j patches applied successfully for CVE-2021-44228 or CVE-2021-45046

      or

      supplied paths are not vulnerable to CVE-2021-44228 or CVE-2021-45046 
  • If you are a FileCloud Online customer, the fix has already been applied to your sites to secure it.

If you have any questions about this advisory, please contact FileCloud support