Is xenforo vulnerable to log4j?

Sort by date Sort by votes
Due to the new information, I also updated my elasticsearch to the newest branch just to be sure.

While I did that, -of course never change a running system-, my elasticsearch service failed to restart at all.

Of course panic mode was enabled and I had to google my ass off why it wouldn't start. It came down to that somehow the newest branch compared to my old branch (7.6 vs 7.16) had some jvm.options related to java which were no longer supported/included anymore. So commenting out GC configuration was the solution...

Code: 
## GC configuration
#-XX:+UseConcMarkSweepGC
#-XX:CMSInitiatingOccupancyFraction=75
#-XX:+UseCMSInitiatingOccupancyOnly

Writing this in case anyone else encounters the same problem.

1639591821421.webp
 
Last edited:
Upvote 1 Downvote
Masetrix said:
Nope ;)
redis.com

Security Notice: Apache Log4j2 CVE-2021-44228 - Redis

Redis security notice for Apache Log4j2 CVE-2021-44228.
redis.com redis.com

@all You should install log4j 2.16 as soon as possible, log4j 2.15.0 is still vulnerable!
Click to expand...
I see a few people have noted today that the tweak to /etc/elasticsearch/jvm.options isn't now considered adequate.
I guess this means that the XenForo PSA here now needs to be updated, so that those who thought we had done enough will look at it again?
(I've just used the zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class approach from the latest NVD update here, with the path tweaked of course.)
 
Upvote 0 Downvote
djbaxter said:
how do I upgrade elasticsearch (current version 7.10.2) to 7.16.1? i.e., what are the commands to run in Terminal - or is there a better way to do the upgrade?
Click to expand...
You need to add the elastic.co repository to your operating system. Then, every time you run a
Code: 
yum update
(or if Ubuntu,)
Code: 
apt update
command to update the system, then it will poll the elastic servers and identify any needed or available updates.

The URL that I added is:
Code: 
https://artifacts.elastic.co/packages/7.x/apt stable InRelease
which is polled when I request updates. It may be a different URL for CentOS, though.

If there is an update available (perhaps once a month), then I do a
Code: 
apt upgrade
and it downloads and installs the new update.

Then I restart elasticsearch with the
Code: 
/etc/init.d/elasticsearch restart
command, and it immediately updates the version in the XenForo control panel.
 
Upvote 0 Downvote
bzcomputers said:
Assuming you were talking to me. Restarting Elasticsearch still did not update version shown in admincp.
Click to expand...

Yes, apologies if I appeared negative.

I run ES on a separate Debian instance (connected via a private network). There are times I reboot after an update, but for me restarting ES will temporarily break search on my XF site like a reboot would. Either way after a few moments the XF admincp will reflect the updated version number when ES is running after the restart.

My adoption of XF Enhanced Search is a bit of a recent experience. Adopted a few of the recommendations here, but followed Elasticsearch's server config/optimization guide for the majority of the steps. I think it includes a section on restart options/alternatives.
 
Upvote 0 Downvote
Robru said:
discuss.elastic.co

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31

Subject: Apache Log4j2 Vulnerability - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 - ESA-2021-31 Note - We will update this announcement with new details as they emerge from our analysis. Please check back periodically. Update Log Dec 16, 2021 - 04:20 UTC - Update Summary...
discuss.elastic.co discuss.elastic.co
Click to expand...
This covers it nicely. Upgrade to 7.16.1 and it looks like you are fully covered. They have removed the dodgy component and added the previously mentioned line to the config by default.

Bit of a stressful one...
 
Upvote 0 Downvote
gerryvz said:
You need to add the elastic.co repository to your operating system. Then, every time you run a
Code: 
yum update
(or if Ubuntu,)
Code: 
apt update
command to update the system, then it will poll the elastic servers and identify any needed or available updates.

The URL that I added is:
Code: 
https://artifacts.elastic.co/packages/7.x/apt stable InRelease
which is polled when I request updates. It may be a different URL for CentOS, though.

If there is an update available (perhaps once a month), then I do a
Code: 
apt upgrade
and it downloads and installs the new update.

Then I restart elasticsearch with the
Code: 
/etc/init.d/elasticsearch restart
command, and it immediately updates the version in the XenForo control panel.
Click to expand...

Apologies but how do I "add the elastic.co repository to your operating system"? I am running centos 7.x. When I run yum update now it tells me "Package(s) elasticsearch available, but not installed."
 
Upvote 0 Downvote
djbaxter said:
Apologies but how do I "add the elastic.co repository to your operating system"? I am running centos 7.x. When I run yum update now it tells me "Package(s) elasticsearch available, but not installed."
Click to expand...
If it is not updating or installing check that the repo is enabled.

/etc/yum.repos.d/elasticsearch.repo
enabled=1

Or use
yum install --enablerepo=elasticsearch elasticsearch
 
Upvote 0 Downvote
For anyone else. Elasticsearch does have pretty good install instructions.

www.elastic.co

Install Elasticsearch with RPM | Elastic Docs

The RPM package for Elasticsearch can be downloaded from our website or from our RPM repository. It can be used to install Elasticsearch on any RPM-based...
www.elastic.co www.elastic.co

www.elastic.co

Install Elasticsearch with a Debian package | Elastic Docs

The Debian package for Elasticsearch can be downloaded from our website or from our APT repository. It can be used to install Elasticsearch on any Debian-based...
www.elastic.co www.elastic.co
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

sniper756
  • Solved
My current es is 2.4 6. I want to know whether my website will be affected by log4j vulnerability
Replies
4
Views
964
Nirjonadda
Nirjonadda
M
  • Question Question
Is Xenforo's code easy to modify? How does it compare to phpbb's code, as for modifyability / maintainability?
Replies
5
Views
1K
MrFusion
M
80sDude
  • Question Question
Is Xenforo easy to use?
Replies
13
Views
823
Rhody
Rhody
Patfun
  • Question Question
Is XenForo a good start for used car marketplace?
Replies
0
Views
655
Patfun
Patfun
Alpha1
XF.com suggestion: Always email users who downloaded vulnerable addon releases
2
Replies
21
Views
2K
RobinHood
RobinHood
Back
Top Bottom