• OzzModz is no longer taking registrations. All registrations are being redirected to Snog's Site
    All addons and support is available there now.

XenForo.com PSA: Potential security vulnerability in Elasticsearch and more via Apache Log4j (Log4Shell)

Ozzy47

Administrator
Install the app
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
It has come to our attention today that a vulnerability has been discovered in popular Java logging library Log4j 2 which may allow attackers to arbitrarily execute code (remote code execution).

Apache Log4j 2 is bundled with and used in many Java applications including Elasticsearch.

XenForo itself is not directly exploitable, and we are currently investigating whether XenForo Enhanced Search can be used as a vector at all, but this is potentially significant enough that an abundance of caution is sensible.

You can read more about the vulnerability here:

The specifics of how to workaround this and whether you are affected are surprisingly complicated and if you have other software that uses Log4j the workarounds and considerations will likely be different. The following primarily pertains to Elasticsearch only for the most part.

Workaround for Elasticsearch 6.4 and above​

You are able to control the behaviour of Log4j via the /etc/elasticsearch/jvm.options file. Notably, the current recommendation is to add the following line to the end of that file:

Code:

-Dlog4j2.formatMsgNoLookups=true

You'll then want to restart the elasticsearch server service for that change to take effect.

If you are using Elasticsearch version 6.3 and below please upgrade​

If you are using a version of Elasticsearch <= 6.3 this includes a particularly old version of Log4j which means the above workaround will not work. Upgrading to a newer version is likely preferable than other workarounds to cater for the older versions. XenForo Enhanced Search supports the latest versions of Elasticsearch.

While not something that will entirely mitigate the issue, we also recommend ensuring Java JDK is up-to-date and configured correctly.

Please watch this thread with email notifications enabled. If we have any further information we'll add it in new posts in this thread.
Reactions: Miyaru, Neutral Singh, kdg411 and 27 others
Written by
Company info
There is no better platform upon which to grow your community.

Engage your customers with the premium community experience.
Staff member
  • Messages
    631
  • Reaction score
    22,922
  • Points
    503

Continue reading...
 
Back
Top