Hi
There is a warning for the java function Log4j.
Does SuiteCRM use Log4j?
If yes, what can be done about it?
Greetings
Polymed
Hi
There is a warning for the java function Log4j.
Does SuiteCRM use Log4j?
If yes, what can be done about it?
Greetings
Polymed
As far as I can tell SuiteCRM does not require nor use the log4j Framework. In fact, if you are only running a webserver with no Java-related extensions, packages, etc. installed, you should be perfectly fine.
In case of doubt whether you have installed any Java-related packages, which might include the log4j framework perform a global search (on your server) for “log4j”…
btw: There´s an interesting list of affected services/packages (not complete though) at Github, so check if you´re using one of the mentioned services/packages:
Thanks @rmint for that insight. Double checking our codebase we(SuiteCRM) don’t use the ‘log4j’ framework or references to it.
Ok thanks for the answer.
elasticsearch uses log4j.
SuiteCRM documentation points users towards installing an older / vulnerable version of elasticsearch and as far as I can tell, do not implement the necessary options for mitigation in the example docker-compose.yml.
I came here to see whether there’s no issue with just using the latest elasticsearch docker image, which I couldn’t find but am gonna try now.
EDIT: According to Introduction :: SuiteCRM Documentation Suitecrm only supports elasticsearch 5.6
elasticsearch 5.0 - 7.16.0 are all vulnerable.
Thanks for this @SupersonicWaffle
So the only elasticsearch as of yet that isn’t vulnerable is 7.16.1. Hopefully they will provide backwards compatibility to a degree.
It is true that Elasticsearch is vulnerable – however ES is not enabled by default; SuiteCRM also doesn´t install/run an elasticsearch server, so if one doesn´t explicitly activate it, one should be fine.
In case anyone is using Elasticsearch, here´s a good article on how to mitigate:
As a heads up:
Elasticsearch 5.x is susceptible to both RCE and information leak , and you need to urgently work on a mitigation path. For ≥ 5.6.11 you can use
log4j2.formatMsgNoLookups=true
as a fix. Unfortunately, the Security Manager rules for 5.x were not as strict as they are since 6.0.
SuiteCRM documentation points to 5.6.10 but says SuiteCRM is compatible with 5.6 whether 5.6.11 works, i don’t know, but unless there’s an error it seems the mitigation doesn’t work for the SuiteCRM recommended ES version.