![]() ![]() The following graphic helps to understand the possible mitigations. Starting points to exploit the vulnerability In the pro/elasticsearch/config/jvm.options the following parameter is set: “-Dlog4j2.formatMsgNoLookups=true”.You are using Java version 8u191 or 11.0.1 and newer (source: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec).The following two conditions are not sufficient after all and do not provide complete protection: Such attacks are not possible as shown above. Log entries in seahub.log indicate that attempts were made to use this vulnerability via HTTP request. If none of these conditions apply, the vulnerability can generally be exploited. Your Seafile server is not allowed to reload code from the Internet.You have disabled full text search in nf ( enabled = false).You are using Seafile Server Community Edition (CE does not use elasticsearch).If no libraries are published, an attack can only be carried out by a logged-in user, either through a manipulated file or a query in the full-text search.įurthermore, you are NOT affected if ONE of the following conditions applies: The attack cannot be triggered directly by a URL call, but it can be exploited by searching published libraries, i.e. Threat situation for Seafile Server Professional Edition:Īccording to the current assessment, the threat situation is moderate. Thus, a Seafile server is basically threatened. Both versions of log4j are now considered vulnerable. Seafile PE version 6 uses elasticsearch 2.4.5 with log4j version 1.2. Seafile Professional Edition (PE) version 7 and 8 uses elasticsearch 5.6 bundled with one of log4j version 2.11 for full-text search. In the worst case, this vulnerability allows an attacker to gain root privileges on the system and execute code, e.g. Manipulated log entries allow the reloading and execution of malicious code downloaded over the Internet. The vulnerability in log4j exploits the unintended processing of manipulated log entries. However, we will continue to inform you here in any case. Statements that are still current today may no longer be valid tomorrow. Important: the issue is dynamic and needs to be actively monitored further. Here is the current status of our analyses on the log4j vulnerability - CVE-2021-44228: German version below… English version (last update at, 1:30am) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |