Resolved Zero Day Exploit

[Goodfred]

Good evening everyone!

I only have the question if I should care because of the actual zero day exploit about log4j.

I heard that apache is vulnerable, too.

Now my question is: Do I have to update Plesk because of this zero day exploit?

It is friday and I hope that I dont need to now and that I can run the updates on monday!

Thank you for answers!

Goodfred

 

[raykai]

I'm wandering the same thing https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/

 

[raykai]

I don't even know if Plesk uses Log4j.

 

[websavers]

I don't even know if Plesk uses Log4j.

I'm quite certain it does not. Perhaps some 3rd party extensions might use it, but I see no sign of it on a couple sample Plesk boxes of ours.

I heard that apache is vulnerable, too.

I think you might be mistaking the apache foundation/organisation with the apache web server. The foundation has a lot of different software projects under it, including log4j and the apache web server, but those are each separate software and this vulnerability is in log4j.

 

[weltonw]

This only impact you if you use the affect versions with Log4J and Java, and have the vulnerable configs set to True, which I believe is default for most.

 

[Gareth Westwood]

No official word from Plesk though...
Two days later...

 

[roadrash]

Just checked all our servers. Not any presence of Log4j.
Plesk does not use it apparently and is not responsible if you have it on your machine(s). Otherwise I am pretty sure they would fix it.

 

[seedme]

Just checked all our servers. Not any presence of Log4j.
Plesk does not use it apparently and is not responsible if you have it on your machine(s). Otherwise I am pretty sure they would fix it.

Hi there would you mind sharing how did you check for this. I've looked through all my projects composer.json and package.json and I couldnt find anything suspicious. Dont how how to check the server stack and panel software though. Thanks in advance.

 

[weltonw]

No official word from Plesk though...
Two days later...

What do you need from Plesk? They don't use java.

Hi there would you mind sharing how did you check for this. I've looked through all my projects composer.json and package.json and I couldnt find anything suspicious. Dont how how to check the server stack and panel software though. Thanks in advance.

If you use composer.json, you're using PHP, not Java. Unless you explicitly set it up, Plesk does not use Java.

 

[IgorG]

No official word from Plesk though...
Two days later...

CVE-2021-44228: vulnerability in log4j package of Apache

Applicable to: Plesk for Linux Plesk for Windows Situation CVE-2021-44228 vulnerability that exploits the log4j package from Apache was discovered. Impact Since Plesk does not use Java, it is no...

support.plesk.com

 

[Ehud]

Hi,



Solutions seems to be published here:

CRS and Log4j / Log4Shell / CVE-2021-44228 – OWASP ModSecurity Core Rule Set




Where two ModSecurity changes should do the job:

# Defense against CVE-2021-44228
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"

# Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
# See CRS and Log4j / Log4Shell / CVE-2021-44228 – OWASP ModSecurity Core Rule Set
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
"id:1005,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:cmdline,\
log,\
msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"