cPanel Plugin Log4j Vulnerability – How To Mitigate & Protect

Updated on

The cPanel web hosting server control panel software recently released a patch to correct a critical flaw in the log4j Java library discovered in part of the software used for email. The vulnerability itself is named Log4Shell.

Log4j CVE-2021-44228, Does it affect Cpanel?

Yes, it does. you need to uninstall cPanel Solr plugin as it is potentially vulnerable.

An update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM in version 8.8.2-4+ was announced. cpanel-dovecot-solr is the only service provided by the cPanel software that uses the logging utility Log4j  .

We strongly advise all WordPress site customers running wordpress sites with IMAP messaging protocol to confirm they are running the latest version which patches this vulnerability.

Get Help, Scan & Patch Apache Log4j Vulnerability scan for apache logi4 - apache log4j fix

Critical Log4j vulnerability in cPanel plugin

The popular cPanel web hosting server control panel software recently released a patch to fix a serious flaw in the log4j Java library found in some software used for email. The vulnerability itself is named Log4Shell.

The vulnerable Log4j Java library was discovered in the basic cPanel plugin called the cPanel Dovecot Solr plugin.

The log4j vulnerability is rated at 10 on a scale of 1 to 10, with 10 representing the most dangerous level of vulnerability.

The plugin is an essential component of the IMAP messaging protocol.

cPanel describes it as:

“The cPanel Solr plug-in enables Internet Message Access Protocol (IMAP) full-text search (FTS) indexing (powered by Apache Solr ™), which provides fast search capabilities for IMAP mailboxes. “

cPanel is a control panel that allows a website operator to easily manage their website hosting environment.

cPanel offers a graphical user interface (GUI) that resembles a desktop interface. It makes it easy to perform tasks like updating the version of PHP used by websites, checking firewalls and adding security certificates, among others.

According to business intelligence company BuiltWith, more than three million customers use cPanel. 

A hosting control panel is basically software that we can install on any server or computer to manage or monitor the entire hosting infrastructure using a single dashboard with multiple options.

cPanel provides a graphical user interface (GUI) similar to a desktop interface. It can easily perform tasks such as updating the PHP version used by the website, controlling the firewall, and adding security certificates.

US Government Statement on Log4Shell Vulnerability

The United States government’s Cybersecurity and Infrastructure Security Agency (CISA) issued a statement on Saturday, November 11, 2021 urging software developers and vendors who use the log4j library in their products to immediately patch their products and vendors to inform customers.

CISA Director Jen Easterly wrote:

“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the software4j library.

… End users will depend on their vendors, and the vendor community must immediately identify, mitigate and correct the wide variety of products using this software.

Vendors should also communicate with their customers to ensure that end-users know their product contains this vulnerability and should prioritize software updates.

The statement said the Joint Cyber ​​Defense Collaborative, the National Security Agency and the FBI are also coordinating their proactive stance to raise awareness of the problem and mitigate security vulnerabilities.

The press release adds:

“We continue to urge all organizations to review the latest CISA Current Activity Alert and upgrade to log4j version 2.15.0, or immediately implement mitigation measures recommended by their vendor.

To be clear, this vulnerability poses a serious risk. We will only minimize potential impacts through collaborative efforts between the government and the private sector. We urge all organizations to join us in this essential effort and take action. ”

Apache-Log4J-Exploit-cpanel-plugin-wordpress-sites

Obtaining mitigation for CVE-2021-44228 to cPanel

An update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM in version 8.8.2-4+ was announced. cpanel-dovecot-solr is the only service provided by the cPanel software that uses the logging utility Log4j  .

If you do not have this installed, then your server is secure. This patch will automatically be applied during the nightly updates if this package is installed.

An official cPanel forum discussion was among the first to identify that cPanel contained the log4j library and therefore could pose a security risk. On new installations of Dovecot_FTS it will include the patched RPM by default. You can join the discussion on the cPanel Forums log4j-cve-2021-44228 thread. You can check if this RPM is installed by running the command below.

On RPM based versions

# rpm -q cpanel-dovecot-solr --changelog | grep CVE-2021-44228

On Ubuntu based versions

# zgrep -E CVE-2021-44228 /usr/share/doc/cpanel-dovecot-solr/changelog.Debian.gz

Example – if installed:

# rpm -q cpanel-dovecot-solr
cpanel-dovecot-solr-8.8.2-4.11.1.cpanel.noarch

 

How to verify that no vulnerable version of log4j is in use?

To verify that no vulnerable version of log4j is bundled with QF-Test, you can use our Log4j detector tool. First, download the library to your system, eg to C:\TEMP. Open a command shell and navigate to the directory where you placed the file in. Then you can use the Java bundled with QF-Test to run the detection tool like this:

# On Windows:

> “C: \ Program Files \ QFS \ qftest \ qftest-5.3.4jre \ win64 \ bin \ java.exe” -jar log4j-detector-2021.12.13.jar “C: \ Program Files \ QFS \ qftest \”

  • Analyzing paths (could take a long time).
  • Note: specify the ‘–verbose’ flag to have every file examined printed to STDERR.
  • No vulnerable Log4J 2.x samples found in supplied paths: [C: \ Program Files \ QFS \ qftest \]
  • Congratulations, the supplied paths are not vulnerable to CVE-2021-44228! 🙂

# On Linux:

> /data/install/qftest/qftest-5.3.4/jre/linux64/bin/java -jar log4j-detector-2021.12.13.jar / data / install / qftest /

  • Analyzing paths (could take a long time).
  • Note: specify the ‘–verbose’ flag to have every file examined printed to STDERR.
  • No vulnerable Log4J 2.x samples found in supplied paths: [/ data / ins tall / qftest / qftest-branch]
  • Congratulations, the supplied paths are not vulnerable to CVE-2021-44228! 🙂

# On macOS:

% /Applications/QF-Test.app/Contents/PlugIns/*.j*/Contents/Home/jre/bin/java -jar log4j-detector-2021.12.13.jar /Applications/QF-Test.app/Contents/ Resources

  • Analyzing paths (could take a long time).
  • Note: specify the ‘–verbose’ flag to have every file examined printed to STDERR.
  • No vulnerable Log4J 2.x samples found in supplied paths: [/Applications/QF-Test.app/Contents/Resources]
  • Congratulations, the supplied paths are not vulnerable to CVE-2021-44228! 🙂

 (In this example, default paths are used. Please adapt them to the requirements of your system.)

Verifying your own plug-ins

If your tests rely on external plugins not bundled and shipped with QF-Test you may want to make sure that these plugins are clean, too. From the QF-Test menu, open “Help-> Info …” (on macOS “QF-Test-> About QF-Test”), select the “System info” tab and follow the link to “dir.plugin”. In your shell, execute the command from above, but replace path in the last argument with the path for “dir.plugin”, for example:

# On macOS:

% /Applications/QF-Test.app/Contents/PlugIns/*.j*/Contents/Home/jre/bin/java -jar log4j-detector-2021.12.13.jar “/ Users / pascal / Library / Application Support / de.qfs.apps.qftest / plugin”

Please note that if you have installed third-party software on your server, especially if it uses Java server-side, this library may also be present, please check with your software vendor. 

If you need help doing this or if you are not sure if your server is vulnerable, please contact the WP Hacked Help support team.

SUGGESTED READING –