Ozzy47
Administrator
Install the app
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
Apache Log4j 2 is bundled with and used in many Java applications including Elasticsearch.
XenForo itself is not directly exploitable, and we are currently investigating whether XenForo Enhanced Search can be used as a vector at all, but this is potentially significant enough that an abundance of caution is sensible.
You can read more about the vulnerability here:
nvd.nist.gov
The specifics of how to workaround this and whether you are affected are surprisingly complicated and if you have other software that uses Log4j the workarounds and considerations will likely be different. The following primarily pertains to Elasticsearch only for the most part.
Code:
You'll then want to restart the elasticsearch server service for that change to take effect.
While not something that will entirely mitigate the issue, we also recommend ensuring Java JDK is up-to-date and configured correctly.
Please watch this thread with email notifications enabled. If we have any further information we'll add it in new posts in this thread.
Last edited by a moderator: Today at 12:38 PM
Reactions: requo, Robru, Anthony Parsons and 32 others
Written by
Company info
There is no better platform upon which to grow your community.
Engage your customers with the premium community experience.
Staff member
Continue reading...
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
- Thread starter XenForo
- Start date Saturday at 2:31 AM
Apache Log4j 2 is bundled with and used in many Java applications including Elasticsearch.
XenForo itself is not directly exploitable, and we are currently investigating whether XenForo Enhanced Search can be used as a vector at all, but this is potentially significant enough that an abundance of caution is sensible.
You can read more about the vulnerability here:
The specifics of how to workaround this and whether you are affected are surprisingly complicated and if you have other software that uses Log4j the workarounds and considerations will likely be different. The following primarily pertains to Elasticsearch only for the most part.
Workaround for Elasticsearch 6.4 and above
You are able to control the behaviour of Log4j via the/etc/elasticsearch/jvm.options
file. Notably, the current recommendation is to add the following line to the end of that file:Code:
-Dlog4j2.formatMsgNoLookups=true
You'll then want to restart the elasticsearch server service for that change to take effect.
If you are using Elasticsearch version 5.0-6.3 please upgrade
If you are using Elasticsearch version 5.0-6.3 this may include an older version of Log4j which means the above workaround will not work. Upgrading to a newer version is likely preferable than other workarounds to cater for the older versions. XenForo Enhanced Search supports the latest versions of Elasticsearch.While not something that will entirely mitigate the issue, we also recommend ensuring Java JDK is up-to-date and configured correctly.
Please watch this thread with email notifications enabled. If we have any further information we'll add it in new posts in this thread.
Last edited by a moderator: Today at 12:38 PM
Reactions: requo, Robru, Anthony Parsons and 32 others
Written by
Company info
There is no better platform upon which to grow your community.
Engage your customers with the premium community experience.
Staff member
- Messages
631 - Reaction score
22,927 - Points
503
Continue reading...