I just wonder if Mailcow is vulnerable to CVE-2021-44228 as Solr is also using Log4j?

I just performed a > sudo find / -name “log4j*” < on my mailcow host and found some entries, so I guess yes! log4j vulnerability has also an impact on mailcow systems :-/

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Solr 7.7 in Mailcow at least contains a vulnerable Log4j version (2.11).

I’m not sure if the vulnerability can be exploited since Mailcow’s Solr is not reachable from the outside. It would probably also require some specially crafted emails to control the log messages, if this even works at all on Mailcow.

Until there is a fix or a confirmation that Mailcow is not affected, I removed the JndiLookup class as described here:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

did the same; connect to docker: , apt-get update; apt-install zip; cd /opt/solr/contrib/prometheus-exporter/lib/; zip -q -d log4j-core-.jar org/apache/logging/log4j/core/lookup/JndiLookup.class ; cd /opt/solr/server/lib/ext; zip -q -d log4j-core-.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Solr has made new Docker images available and they are now used by Mailcow, just did the update. mailcow/solr should be at version 1.8 now.

    accolon
    I just performed an update and can confirm, solr version 1.8!

    4 days later

    Habe Mailcowserver zeitnah geupdated so das solr 1.8 aktiv ist.
    Allerdings finde ich im Dateisystem noch log4j-Dateien mit Versionsnummer 2.11.
    Zum Beispiel:
    /var/lib/docker/overlay2/…/diff/opt/solr/contrib/prometheus-exporter/lib/log4j-slf4j-impl-2.11.0.jar
    /var/lib/docker/overlay2/…/diff/opt/solr/contrib/prometheus-exporter/lib/log4j-core-2.11.0.jar
    /var/lib/docker/overlay2/…/diff/opt/solr/contrib/prometheus-exporter/lib/log4j-api-2.11.0.jar

    Wie kann das sein?

    • MAGIC

      • Forum Staff
      • volunteer
      Moolevel 48

    Weil es Upstream in Solr 7 (noch) nicht gefixt worden ist. Solr Devs haben zwar -Dlog4j2.formatMsgNoLookups=true gesetzt, um CVE-2021-44228 zu fixen, aber seit CVE-2021-45046 bringt das auch nix.
    Außerdem ist Solr laut deren Devs auch garnicht vulnerable: https://lists.apache.org/thread/5xgsl4t8m60zhl1d8rgmcj4qfd9r7d4m

    No one is typing