Does Suitecrm use log4j?


There is a warning for the java function Log4j. :warning:
Does SuiteCRM use Log4j?

If yes, what can be done about it?


As far as I can tell SuiteCRM does not require nor use the log4j Framework. In fact, if you are only running a webserver with no Java-related extensions, packages, etc. installed, you should be perfectly fine.

In case of doubt whether you have installed any Java-related packages, which might include the log4j framework perform a global search (on your server) for “log4j”…

btw: There´s an interesting list of affected services/packages (not complete though) at Github, so check if you´re using one of the mentioned services/packages:

1 Like

Thanks @rmint for that insight. Double checking our codebase we(SuiteCRM) don’t use the ‘log4j’ framework or references to it.

Ok thanks for the answer. :+1:

elasticsearch uses log4j.
SuiteCRM documentation points users towards installing an older / vulnerable version of elasticsearch and as far as I can tell, do not implement the necessary options for mitigation in the example docker-compose.yml.

I came here to see whether there’s no issue with just using the latest elasticsearch docker image, which I couldn’t find but am gonna try now.

EDIT: According to Introduction :: SuiteCRM Documentation Suitecrm only supports elasticsearch 5.6

elasticsearch 5.0 - 7.16.0 are all vulnerable.

1 Like

Thanks for this @SupersonicWaffle
So the only elasticsearch as of yet that isn’t vulnerable is 7.16.1. Hopefully they will provide backwards compatibility to a degree.

It is true that Elasticsearch is vulnerable – however ES is not enabled by default; SuiteCRM also doesn´t install/run an elasticsearch server, so if one doesn´t explicitly activate it, one should be fine.

In case anyone is using Elasticsearch, here´s a good article on how to mitigate:

1 Like

As a heads up:

Elasticsearch 5.x is susceptible to both RCE and information leak , and you need to urgently work on a mitigation path. For ≥ 5.6.11 you can use log4j2.formatMsgNoLookups=true as a fix. Unfortunately, the Security Manager rules for 5.x were not as strict as they are since 6.0.

SuiteCRM documentation points to 5.6.10 but says SuiteCRM is compatible with 5.6 whether 5.6.11 works, i don’t know, but unless there’s an error it seems the mitigation doesn’t work for the SuiteCRM recommended ES version.