Seafile log4j vulnerability fix

2021/12/30 by Paulo Pereira

~/categories/Linux #Linux #Arch Linux #Seafile

There is a recent log4j vulnerability (CVE-2021-44228) affecting a ton or services and servers.

Specifically for Seafile, you can read this post in the forum to know more about this issue and how to fix it.

Here are my notes about it.

Scan for vulnerable log4j classes

sudo -u seafile_user -s /bin/sh
mkdir /tmp/log4jscan/
cd /tmp/log4jscan/
chmod +x log4shell_1.3.1-log4shell_Linux_x86_64
./log4shell_1.3.1-log4shell_Linux_x86_64 scan $HOME/seafile/seafile-server-latest/

You will see something like this:

7:31PM ??? Identified vulnerable path 
	cve: CVE-2021-44228 
	fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class 
	hash: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e 
	path: /srv/seafile/seafile/seafile-server-latest/pro/elasticsearch/lib/log4j-core-2.11.1.jar 
	severity: 10.0 
	versionInfo: "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1"

You should also check if there is any strange ssh key in your authorized_keys file:

cat /${HOME}/.ssh/authorized_keys

And check if are any strange user connecting to your machine:

last -30 -i

Search for this string the the elasticsearch logs:

grep -i "jndi" $HOME/seafile/logs/elasticsearch*

Mitigating the issue

This vulnerability does not affect you if you disable the full text search functionality. In my case I just disabled this and will wait for a “final” fix.

The the forum post to see how to mitigate the issue and keep the full text search functionality active.

vi $HOME/seafile/conf/seafevents.conf
## must be "true" to enable search
enabled = false
sudo systemctl restart seahub
sudo systemctl restart seafile