Log4j vulnerability

gblack · December 12, 2021, 12:52am

Is there any connection at all with Owncloud and the log4shell/log4j/logjam vulnerability?

garethw · December 12, 2021, 10:44am

I’d love to hear something from one of the owncloud team as well.

eneubauer · December 13, 2021, 6:44am

Hi, I’m not from the security team this is just my personal opinion.

As ownCloud is a PHP web application I have so far not encountered a PHP library ownCloud core builds on that is affected.

garethw · December 13, 2021, 9:06am

Given that I can’t find any files related to log4j anywhere on any of the installs I manage I was assuming that it was safe. Thanks for the unofficial opinion though @eneubauer

eneubauer · December 13, 2021, 10:04am

If you have any integrations with something like Elasticsearch / Antivirus (both Enterprise features though) / …, definitely make sure to keep all of those up to date.

hodyroff · December 13, 2021, 11:08am

ownCloud 10 and ownCloud Infinite Scale are not affected by the important security issue in log4j.

Dear customer or user of ownCloud,
This simple - we’re not affected - applies for all ownCloud standard installations, including our docker containers and our SaaS Service at owncloud.online.
If you have Java services connected to ownCloud like Elasticsearch - those need to be checked and updated or mitigated now.
Here are 2 links which should help you to see if you’re generally affected and how to solve the issue:

Thanks you for your attention - as we are getting customer and user enquiries we wanted to proactively communicate with you.

As this issue mostly affects Java applications owncloud 10 (written in PHP and JavaScript) and ownCloud Infinite Scale (written in golang), as well as our desktop and mobile clients don’t need a special upgrade at this time, however we do recommend that you keep your complete environment current and follow security recommendations in a timely manner. For ownCloud 10 this would be the 10.8 server version. Staying on the latest versions assures that your systems stay safe and secure!
ownCloud 10 applications use a Javascript library called log4js. This is a different software which is verified to not have this problem.

All our internal as well as customer and user facing systems are already updated.
Please don’t hesitate to contact our support if you have any additional questions.

Best Regards,

Your ownCloud Team!

system · March 13, 2022, 11:09am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.