Hello!
For your information – ONLYOFFICE Workspace does not use the log4j library, that’s why our code is not affected by the important security issue in log4j.
However, ONLYOFFICE Workspace provides the implemented Elasticsearch service for full-text search and indexing which is affected by the mentioned vulnerability.
To fully protect your ONLYOFFICE Workspace against the security issue in log4j, please check the official recommendations from Elasticsearch and follow our instructions.
For Docker
-
Get SSH access to ONLYOFFICE Community Server. Usually, you can do it with the following command:
docker exec -it onlyoffice-community-server /bin/bash -
Edit the /etc/elasticsearch/jvm.options file by adding the following line:
-Dlog4j2.formatMsgNoLookups=true -
Restart ONLYOFFICE Community Server:
docker stop onlyoffice-community serverdocker start onlyoffice-community-server
Note: please execute these commands from the host system and NOT inside the Docker container.
For CentOS/Debian
-
Edit the /etc/elasticsearch/jvm.options file by adding the following line:
-Dlog4j2.formatMsgNoLookups=true -
Restart Elasticsearch:
systemctl restart elasticsearch
For Windows
-
Get access to ONLYOFFICE Community Server.
-
Edit the %programdata%\Elastic\Elasticsearch\config\jvm.options file by adding the following line:
-Dlog4j2.formatMsgNoLookups=true -
Restart the service: Elasticsearch
Please don’t hesitate to contact our support team or reach out to us on forum if you have any additional questions.
Stay safe!
Sincerely,
ONLYOFFICE Team