• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Zero Day Exploit

G

Goodfred

Basic Pleskian
Good evening everyone!

I only have the question if I should care because of the actual zero day exploit about log4j.

I heard that apache is vulnerable, too.

Now my question is: Do I have to update Plesk because of this zero day exploit?

It is friday and I hope that I dont need to now and that I can run the updates on monday!

Thank you for answers!

Goodfred
 
raykai said:
I don't even know if Plesk uses Log4j.
Click to expand...
I'm quite certain it does not. Perhaps some 3rd party extensions might use it, but I see no sign of it on a couple sample Plesk boxes of ours.

I heard that apache is vulnerable, too.
Click to expand...
I think you might be mistaking the apache foundation/organisation with the apache web server. The foundation has a lot of different software projects under it, including log4j and the apache web server, but those are each separate software and this vulnerability is in log4j.
 
This only impact you if you use the affect versions with Log4J and Java, and have the vulnerable configs set to True, which I believe is default for most.
 
Just checked all our servers. Not any presence of Log4j.
Plesk does not use it apparently and is not responsible if you have it on your machine(s). Otherwise I am pretty sure they would fix it.
 
roadrash said:
Just checked all our servers. Not any presence of Log4j.
Plesk does not use it apparently and is not responsible if you have it on your machine(s). Otherwise I am pretty sure they would fix it.
Click to expand...
Hi there would you mind sharing how did you check for this. I've looked through all my projects composer.json and package.json and I couldnt find anything suspicious. Dont how how to check the server stack and panel software though. Thanks in advance.
 
No official word from Plesk though...
Two days later...
Click to expand...
What do you need from Plesk? They don't use java.

Hi there would you mind sharing how did you check for this. I've looked through all my projects composer.json and package.json and I couldnt find anything suspicious. Dont how how to check the server stack and panel software though. Thanks in advance.
Click to expand...
If you use composer.json, you're using PHP, not Java. Unless you explicitly set it up, Plesk does not use Java.
 
Hi,



Solutions seems to be published here:

CRS and Log4j / Log4Shell / CVE-2021-44228 – OWASP ModSecurity Core Rule Set

log4j_attack.jpg


Where two ModSecurity changes should do the job:



# Defense against CVE-2021-44228
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"
Click to expand...


# Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
# See CRS and Log4j / Log4Shell / CVE-2021-44228 – OWASP ModSecurity Core Rule Set
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
"id:1005,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:cmdline,\
log,\
msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Click to expand...
 
You must log in or register to reply here.

Similar threads

llucas
Resolved Retrieving WordPress admin credentials, please wait...
Replies
2
Views
248
llucas
llucas
S
Question Is there any way to get backup after expired license key?
Replies
2
Views
626
sakii
S
Heinrich
Resolved node.js configuration in PLESK Obsidian 18.0.67 Update Nr. 3
Replies
3
Views
350
alvarezcruz
alvarezcruz
Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
1K
Franky H
F
U
Question Text/event streaming: Outputs chat answers streamed.
Replies
0
Views
440
Ultaschall4D
U
Back
Top