CVE-2021-44228 vulnerability Log4j (Solr)?

[gaetandezeiraud]

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

• I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
• I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• I have understood that answers are voluntary and community-driven, and not commercial support.
• I have verified that my issue has not been already answered in the past. I also checked previous issues.

Summary

Mailcow is vulnerable to CVE-2021-44228 Log4j?
https://community.mailcow.email/d/1229-cve-2021-44228-vulnerability-solr

[andryyy]

How exactly can we access Solr from outside? Mit besten Grüßen André Peters

…

Am 11.12.2021 um 11:28 schrieb DEZEIRAUD Gaëtan ***@***.***>:  Prior to placing the issue, please check following: (fill out each checkbox with an X once done) I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue. I have understood that this bug report is dedicated for bugs, and not for support-related inquiries. I have understood that answers are voluntary and community-driven, and not commercial support. I have verified that my issue has not been already answered in the past. I also checked previous issues. Summary Mailcow is vulnerable to CVE-2021-44228 Log4j? https://community.mailcow.email/d/1229-cve-2021-44228-vulnerability-solr — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[gaetandezeiraud]

Don't know. It is more a question about if mailcow is potentially vulnerable or not.
By security, I have shutdown my mail servers until I get an answer.

[andryyy]

You are fine. Images should be updated asap anyway.

…

Am 11.12.2021 um 11:36 schrieb DEZEIRAUD Gaëtan ***@***.***>:  Don't know. It is more a question about if mailcow is potentially vulnerable or not. By security, I have shutdown my mail servers until I get an answer. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[andryyy]

theoretically trivial

How?

[MAGICCC]

Seems Solr doesnt even have an update ready on their site: https://solr.apache.org/downloads.html
And they claim that 8.11.1 is safe: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

Either way: We need to update to 8.x sooner or later since this is their stable release for now.

[gaetandezeiraud]

apache/solr#454

[gaetandezeiraud]

theoretically trivial

How?

It is enough that a bad string is sent somewhere and which arrives to solr which logs it and it is finished. Code execution.

[jonprocter]

I've just disabled Solr on my mailcow servers to mitigate any potential risk from this, and everything seems to be working to the point I don't even know if to bother turning it back on when it's fixed (for reference for anybody reading who isn't sure: set SKIP_SOLR=y in mailcow.conf, line 143 for me, and then run docker-compose up -d)

[marc1006]

An easy workaround would be to use the "fix/workaround" suggested in apache/solr#454 (comment)
(adding SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true").

[gaetandezeiraud]

@marc1006 Can you write an explanation of how to do this? Step by step.

[marc1006]

At best, this should be fixed in the solr image used by Mailcow by the maintainer of Mailcow. Probably by either adapting this file https://github.com/mailcow/mailcow-dockerized/blob/master/data/Dockerfiles/solr/solr.sh or the Dockerfile https://github.com/mailcow/mailcow-dockerized/blob/master/data/Dockerfiles/solr/Dockerfile

Note: I'm not familiar with the Mailcow code base.

@Brouilles
Please perform the steps below only if you know what you're doing (and have a backup)

1. Edit the file data/Dockerfiles/solr/solr.sh (https://github.com/mailcow/mailcow-dockerized/blob/master/data/Dockerfiles/solr/solr.sh)
   e.g.

...
if [[ "${1}" == "--bootstrap" ]]; then
  echo "Creating initial configuration"
  ### ADD THE LINE BELOW
  echo 'SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"' >> /opt/solr/bin/solr.in.sh
  ###
  echo "Modifying default config set"
  ...

2. Build the docker image (and tag it as mailcow/solr:tmpfix)
   e.g.
   # docker build data/Dockerfiles/solr -t mailcow/solr:tmpfix
3. Adapt docker-compose.yml so our newly created docker image is used

...
    solr-mailcow:
      image: mailcow/solr:tmpfix
...

4. Restart Mailcow
   # docker-compose up -d

Once there is a fix in Mailcow, you will need to revert/undo the changes I suggested (and delete the mailcow/solr:tmpfix docker image) before updating Mailcow!!!!

[gaetandezeiraud]

Thanks @jonprocter I have do the same.

[yoyellow]

e1db347

is pushed. am i correct in assuming that this resolves the vulnerability CVE-2021-44228 @andryyy

[andryyy]

The Solr vulnerability was fixed, yes.

mailcow was never directly affected.