The Apache Log4j exploit and how to protect your cPanel server

On Friday, December 10, 2021, a vulnerability for Log4j was announced in CVE-2021-44228.  

Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services. It was reported by Alibaba Cloud’s security team to Apache on November 24. They also revealed that CVE-2021-44228 impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others. The United States Cybersecurity and Infrastructure Security Agency also issued a statement from CISA Director Easterly on the log4j vulnerability. 

How does this impact my cPanel server? 

The same day the vulnerability was announced, we published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM in version 8.8.2-4+. The only service provided by the cPanel software that uses the logging utility Log4j is cpanel-dovecot-solr. If you do not have this installed, then your server is secure. This patch will automatically be applied during the nightly updates if this package is installed. On new installations of Dovecot_FTS it will include the patched RPM by default. You can join the discussion on the cPanel Forums log4j-cve-2021-44228 thread. You can check if this RPM is installed by running the command below.

On RPM based versions 

# rpm -q cpanel-dovecot-solr --changelog | grep CVE-2021-44228  

On Ubuntu based versions 

# zgrep -E CVE-2021-44228 /usr/share/doc/cpanel-dovecot-solr/changelog.Debian.gz  

Example if installed: 

# rpm -q cpanel-dovecot-solr  
cpanel-dovecot-solr-8.8.2-4.11.1.cpanel.noarch 

Additional Information 

Our Technical Support team has also published a knowledge base article regarding the Log4j vulnerability titled ApacheSolr vulnerability CVE-2021-44228 for Log4j. If you have any additional questions or need further assistance, please open a ticket at support.cpanel.net.  

Update for December 15, 2021 

The Apache Logging team released an update after it was discovered that certain non-default configurations were still vulnerable to the log4j exploit. We released an updated patch with additional mitigation into our cpanel-dovecot-solr. Learn more about CVE-2021-45046. You can also read the Apache Logging site’s Security page for more information.  

References: