Seafile log4j vulnerability fix
There is a recent log4j vulnerability (CVE-2021-44228) affecting a ton or services and servers.
Specifically for Seafile, you can read this post in the forum to know more about this issue and how to fix it.
Here are my notes about it.
Scan for vulnerable log4j classes
1sudo -u seafile_user -s /bin/sh
2mkdir /tmp/log4jscan/
3cd /tmp/log4jscan/
4wget https://github.com/lunasec-io/lunasec/releases/download/v1.3.1-log4shell/log4shell_1.3.1-log4shell_Linux_x86_64
5chmod +x log4shell_1.3.1-log4shell_Linux_x86_64
6./log4shell_1.3.1-log4shell_Linux_x86_64 scan $HOME/seafile/seafile-server-latest/
You will see something like this:
17:31PM ??? Identified vulnerable path
2 cve: CVE-2021-44228
3 fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class
4 hash: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
5 path: /srv/seafile/seafile/seafile-server-latest/pro/elasticsearch/lib/log4j-core-2.11.1.jar
6 severity: 10.0
7 versionInfo: "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1"
You should also check if there is any strange ssh key in your authorized_keys file:
1cat /${HOME}/.ssh/authorized_keys
And check if are any strange user connecting to your machine:
1last -30 -i
Search for this string the the elasticsearch logs:
1grep -i "jndi" $HOME/seafile/logs/elasticsearch*
Mitigating the issue
This vulnerability does not affect you if you disable the full text search functionality. In my case I just disabled this and will wait for a “final” fix.
The the forum post to see how to mitigate the issue and keep the full text search functionality active.
1vi $HOME/seafile/conf/seafevents.conf
1[INDEX FILES]
2## must be "true" to enable search
3enabled = false
1sudo systemctl restart seahub
2sudo systemctl restart seafile