Is xenforo vulnerable to log4j?

sbj

Well-known member
Due to the new information, I also updated my elasticsearch to the newest branch just to be sure.

While I did that, -of course never change a running system-, my elasticsearch service failed to restart at all.

Of course panic mode was enabled and I had to google my ass off why it wouldn't start. It came down to that somehow the newest branch compared to my old branch (7.6 vs 7.16) had some jvm.options related to java which were no longer supported/included anymore. So commenting out GC configuration was the solution...

Code:
## GC configuration
#-XX:+UseConcMarkSweepGC
#-XX:CMSInitiatingOccupancyFraction=75
#-XX:+UseCMSInitiatingOccupancyOnly

Writing this in case anyone else encounters the same problem.

1639591821421.png
 
Last edited:

Neilski

Member
Nope ;)

@all You should install log4j 2.16 as soon as possible, log4j 2.15.0 is still vulnerable!
I see a few people have noted today that the tweak to /etc/elasticsearch/jvm.options isn't now considered adequate.
I guess this means that the XenForo PSA here now needs to be updated, so that those who thought we had done enough will look at it again?
(I've just used the zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class approach from the latest NVD update here, with the path tweaked of course.)
 

gerryvz

Well-known member
how do I upgrade elasticsearch (current version 7.10.2) to 7.16.1? i.e., what are the commands to run in Terminal - or is there a better way to do the upgrade?
You need to add the elastic.co repository to your operating system. Then, every time you run a
Code:
yum update
(or if Ubuntu,)
Code:
apt update
command to update the system, then it will poll the elastic servers and identify any needed or available updates.

The URL that I added is:
Code:
https://artifacts.elastic.co/packages/7.x/apt stable InRelease
which is polled when I request updates. It may be a different URL for CentOS, though.

If there is an update available (perhaps once a month), then I do a
Code:
apt upgrade
and it downloads and installs the new update.

Then I restart elasticsearch with the
Code:
/etc/init.d/elasticsearch restart
command, and it immediately updates the version in the XenForo control panel.
 

motowebmaster

Well-known member
Assuming you were talking to me. Restarting Elasticsearch still did not update version shown in admincp.

Yes, apologies if I appeared negative.

I run ES on a separate Debian instance (connected via a private network). There are times I reboot after an update, but for me restarting ES will temporarily break search on my XF site like a reboot would. Either way after a few moments the XF admincp will reflect the updated version number when ES is running after the restart.

My adoption of XF Enhanced Search is a bit of a recent experience. Adopted a few of the recommendations here, but followed Elasticsearch's server config/optimization guide for the majority of the steps. I think it includes a section on restart options/alternatives.
 

karlgray

Member
This covers it nicely. Upgrade to 7.16.1 and it looks like you are fully covered. They have removed the dodgy component and added the previously mentioned line to the config by default.

Bit of a stressful one...
 

djbaxter

Well-known member
You need to add the elastic.co repository to your operating system. Then, every time you run a
Code:
yum update
(or if Ubuntu,)
Code:
apt update
command to update the system, then it will poll the elastic servers and identify any needed or available updates.

The URL that I added is:
Code:
https://artifacts.elastic.co/packages/7.x/apt stable InRelease
which is polled when I request updates. It may be a different URL for CentOS, though.

If there is an update available (perhaps once a month), then I do a
Code:
apt upgrade
and it downloads and installs the new update.

Then I restart elasticsearch with the
Code:
/etc/init.d/elasticsearch restart
command, and it immediately updates the version in the XenForo control panel.

Apologies but how do I "add the elastic.co repository to your operating system"? I am running centos 7.x. When I run yum update now it tells me "Package(s) elasticsearch available, but not installed."
 

karlgray

Member
Apologies but how do I "add the elastic.co repository to your operating system"? I am running centos 7.x. When I run yum update now it tells me "Package(s) elasticsearch available, but not installed."
If it is not updating or installing check that the repo is enabled.

/etc/yum.repos.d/elasticsearch.repo
enabled=1

Or use
yum install --enablerepo=elasticsearch elasticsearch
 
Top