first I have to apologize for “FILE_INDEXING = false”. There is no such parameter in seafevents.conf. The full text search is configured in seafevents.conf with the following parameters:
But from my point of view the second parameter “index_office_pdf” is not relevant at all. If “enabled = true” then elasticsearch is started. If “enabled = false” there is no elasticsearch process and consequently no log4j no matter what value index_office_pdf has.
I just tested that behaviour some minutes ago:
enabled = false
in controller.log:
2021-12-13 13:39:20 seafile-controller.c(462): search is not enabled
At the beginning there was a little doubt about log4j 1.x versions, but now we know that it is safe without the JMS Appender component.
And as you said that ExtractText does not produce logs, it is OK.
So thanks for your answer!
Elasticsearch 5 is susceptible to both remote code execution and an information leak via DNS. For versions 5.6.11 - 5.6.16, this can be mitigated by setting the JVM option . Users on an earlier version of 5.x, are recommended to upgrade to 5.6.16.
As seafile seems to use Elasticsearch 5.6.13, the mitigation by setting the JVM option provides provides full protection against the RCE and information leak attacks according to the Elasticsearch page.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
We found this report concerning as it states that one of the recommended temporary mitigations for versions 2.7.0 <= Apache log4j <= 2.14.1 might not protect against this CVE. Further:
Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
It was not readily apparently from reading this CVE what specifically was affected, or how this vulnerability is actually triggered. That’s why we actually tested this ourselves to figure out what the impact was.
We have just uploaded Seafile Pro 9.0.2, which we have tested internally for a few weeks. You can use ElasticSearch 6.x version with Seafile Pro 9.0.2. ElasticSearch 6.x is still in support pediod.
Do you think it would be possible to release such an update for Seafile Pro 8.x (and maybe older version lines that are still used and supported), too?