Do you think it would be possible to release such an update for Seafile Pro 8.x (and maybe older version lines that are still used and supported), too?
2 Likes
I agree, we would prefer a 8.x version with updated ElasticSearch as well.
And can you tell us which ElasticSearch 6 version is used ?
2 Likes
We can’t change included ElasticSearch packages in 8.0 version. If so, it is not much different from upgrading to version 9.0.
Compared to 8.0, 9.0 version mostly changes dependencies:
- Upgrade to Django 3.2
- Upgrading to ES 6.x
You can use any minor version of ElasticSearch 6.
But don’t you think using a separately installed elasticsearch would work in Seafile 8.0 basically the same way as in 9.0?
In version 8.0, you can use a separately installed elasticsearch. But the version has to be 5.6.x. So, it does not fix the problem.
Ah, I see. Okay.
And can you guess when Seafile 9.0 will officially lose the Beta status?
Thank you @daniel.pan !
Upgrade was successful and easy to do. Unfortunately I don’t have a docker, so I’m not using ElasticSearch in Seafile Pro 9.0.2.
I will disable [INDEX FILES] in version 9.0.2 for now.
A stable version should be available within a few weeks.
upgrading the production server to a beta version I find very unattractive
how about this, shouldn’t this fix it?
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Maybe someone has already tried this and knows where exactly you have to do it in seafile and if elasticsearch still works correctly afterwards.
1 Like
Please release a fix for V8 ASAP, if not directly possible it should be possible to find another way.
According to the version sheet V8 is still within support and any Enterprise Customer should be able to expect a fix in that version for any vulnerability within that given time.
It is not a solution to tell Enterprise customers to update to the latest version “in a few weeks” while leaving their systems vulnerable for the time being. It is also not a soltution to disable the search feature, at most a couple of days.
Also new versions are not stable when released enough for most Enterprise customers, especially with huge setups. Time is needed to test before rolling out new Mayor versions.
Thanks for providing a patch to a still supported version of your product as advertised.
Could you provide the basic CE search function in PRO as alternative to the index based search?
This could also be generally a useful option to select from:
- No Search function
- Basic Search function
- Advanced Search function (PRO only)
If someone doesn’t want the index based search function this could be a very useful feature since the library search function might be enough for some users.
The index based search function is still important and a fix for V8 should also be provided.
Thanks!
1 Like
In principle, we should have a fix for V8 version. But this means we need to prepare a v8.1 version, as dependency changes. We will need to prepare upgrade script and test on different environments. So in reality, upgrading ElasticSearch in v8.1 is almost the same as upgrading to v9. We have been preparing the later already for a few months.
The main changes in v9, besides upgrading ElasticSearch and Django, is adding golang file server, which is not active by default.
3 Likes
I’ve tested many things in 9.0.2 and haven’t encountered an error. I can’t test ElasticSearch at the moment. Golang works well, but I turned it off after a few tests (just to be sure).
This sounds logical, thanks for clarifying.
Currently I’m using the option provided by @EAf6WAor (thanks for sharing).
I think this is currently enough for minimizing the risk, although I’m not sure what the second vulnerability in log4j is meaning for the fix.
Regards,
Martin Angermeier
You need to run that command in pro/elasticsearch/lib in your seafile-server-latest directory.
I just found Advanced File Search configuration (Pro) - Seafile Admin Manual which does say that this is possible since 2.0.5 and doesn’t mention a specific Elasticsearch version requirement!
Can you please clarify there?
I would like to second the question whether disabling the JndiLookup class is possible. According to Apache this should also mitigate CVE-2021-45046 and is therefore an attractive fix while preparing for a server update.
@daniel.pan Could you please clarify?
Thank you!
The major version of ES should be the same as the included one. Because the Python search code is written for that version of elasticsearch.
3 Likes