Does ONLYOFFICE Documentserver uses log4j?

nilskamm · 12 December 2021 18:39

Hey! I use the ONLYOFFICE Documentserver via Docker.
As you surely read, there is a big exploit in Log4j.
Does the Documentserver uses any Java / Log4j?

Thanks a lot!
Nils

nilskamm · 12 December 2021 20:26

I did a docker scan like described in: Apache Log4j 2 CVE-2021-44228 - Docker Blog

It seems like this exploit doesn´t exist in the ONLYOFFICE Documentserver docker but an official statement from ONLYOFFICE would be much appreciated!

Thanks a lot!

christophdb · 13 December 2021 09:33

Hi everybody,
I am a OnlyOffice Partner but still we don’t have any information yet if OnlyOffice is affected or not. Therefore the following observations are only “MY THOUGHT” and not a official statement of OnlyOffice. I would hope that OnlyOffice will answer this threat and give an official statement.

I checked OnlyOffice Document Server and did not found any hints about log4j. Therefore I think that the document servers are not vulnurable.

BUT the OnlyOffice Community-Server which is part of OnlyOffice Workspace uses log4j bundled with elasticsearch. If you use OnlyOffice Workspace I would recomment to do the following:

get ssh access to the onlyoffice community server. Usually by “docker exec -it onlyoffice-community-server /bin/bash”
edit the /etc/elasticsearch/jvm.options and add the following line:
“-Dlog4j2.formatMsgNoLookups=true”
restart onlyoffice community server with “docker stop onlyoffice-community-server” and “docker start onlyoffice-community-server” (this has to be executed from the host system and not inside the docker container)
check if the option is really used with
“cat /var/log/onlyoffice/Index/elasticsearch.log | grep log4j”
(executed inside the onlyoffice-community-server"

I hope this helps
Best regards
Christoph Dyllick from datamate

nilskamm · 13 December 2021 10:07

Hey Christoph!
Thank you for your thoughts.
That sounds already good to me.
But for sure, an official statement would be great!

Alexandre · 13 December 2021 11:14

Hello nilskamm and christophdb.

Document server doesn’t use mentioned library, so it is not affected by the specified vulnerability.

As for the other our products (Workspace), we are checking the situation. I will update this post, when I get any news.

nilskamm · 13 December 2021 11:39

Thank you Alexandre for your fast response!

Alexandre · 13 December 2021 16:28

If we are talking about Workspace, ElasticSearch service uses mentioned library, we are going to update the version of ElasticSearch to the newer one that does not have this vulnerability in the next release that is planned for January 2022.
Workaround solution:

Open /etc/elasticsearch/jvm.options
Add the following line: “-Dlog4j2.formatMsgNoLookups=true”
Restart ElasticSearch with service elasticsearch restart

smartysmart34 · 17 December 2021 09:26

Hey there,
Edit:
I WAS confused.
I realized there was talk about two things: Document Server and Workspace. I realized that DocServer does not have elasticsearch and that is true, mine also does not have it.

BUT:
Searching for log4j in the Document Server Docker Container brings up some matches:
/etc/onlyoffice/documentserver/log4js
/var/www/onlyoffice/documentserver/server/Common/config/log4js

So the above comment about Doc-Server not having log4j I can not confirm, i guess?

Kind regards,
Martin

Alexandre · 17 December 2021 10:54

Hello Martin.
The folder you specified has nothing to do with the mentioned vulnerability.
Although it has got a similar name to the Java library log4j, it is not the same.
Please check it out: log4js - npm