Does Suitecrm use log4j?

polymed · 13 December 2021 09:28

Hi

There is a warning for the java function Log4j.
Does SuiteCRM use Log4j?

If yes, what can be done about it?

Greetings
Polymed

rmint · 13 December 2021 10:37

As far as I can tell SuiteCRM does not require nor use the log4j Framework. In fact, if you are only running a webserver with no Java-related extensions, packages, etc. installed, you should be perfectly fine.

In case of doubt whether you have installed any Java-related packages, which might include the log4j framework perform a global search (on your server) for “log4j”…

btw: There´s an interesting list of affected services/packages (not complete though) at Github, so check if you´re using one of the mentioned services/packages:

gist.github.com

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

20211210-TLP-WHITE_LOG4J.md

Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)

## Errors, typos, something to say ?
  - If you want to add a link, comment or send it to me
  - Feel free to report any mistake directly below in the comment or in DM on Twitter [@SwitHak](https://twitter.com/SwitHak)

# Other great ressources
- Royce Williams list is different, listed by vendors responses:
- https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
- TBD

This file has been truncated. show original

samus-aran · 13 December 2021 12:19

Thanks @rmint for that insight. Double checking our codebase we(SuiteCRM) don’t use the ‘log4j’ framework or references to it.

polymed · 13 December 2021 12:31

Ok thanks for the answer.

SupersonicWaffle · 16 December 2021 07:03

elasticsearch uses log4j.
SuiteCRM documentation points users towards installing an older / vulnerable version of elasticsearch and as far as I can tell, do not implement the necessary options for mitigation in the example docker-compose.yml.

I came here to see whether there’s no issue with just using the latest elasticsearch docker image, which I couldn’t find but am gonna try now.

EDIT: According to Introduction :: SuiteCRM Documentation Suitecrm only supports elasticsearch 5.6

elasticsearch 5.0 - 7.16.0 are all vulnerable.

samus-aran · 16 December 2021 15:15

Thanks for this @SupersonicWaffle
So the only elasticsearch as of yet that isn’t vulnerable is 7.16.1. Hopefully they will provide backwards compatibility to a degree.

rmint · 17 December 2021 08:19

It is true that Elasticsearch is vulnerable – however ES is not enabled by default; SuiteCRM also doesn´t install/run an elasticsearch server, so if one doesn´t explicitly activate it, one should be fine.

In case anyone is using Elasticsearch, here´s a good article on how to mitigate:

SupersonicWaffle · 18 December 2021 14:05

As a heads up:

Elasticsearch 5.x is susceptible to both RCE and information leak , and you need to urgently work on a mitigation path. For ≥ 5.6.11 you can use log4j2.formatMsgNoLookups=true as a fix. Unfortunately, the Security Manager rules for 5.x were not as strict as they are since 6.0.

SuiteCRM documentation points to 5.6.10 but says SuiteCRM is compatible with 5.6 whether 5.6.11 works, i don’t know, but unless there’s an error it seems the mitigation doesn’t work for the SuiteCRM recommended ES version.