I got an email from our web people asking about our DoOO and the recent Log4j vulnerability.
Best I can tell from this article, the only app associated with cPanel that uses Log4j is cpanel-dovecot-solr. It doesn’t look like we have that installed but I figured I’d ask y’all as well just in case.
Reclaim Hosting does not widely use applications written in Java, but Pressbooks does depend on a few applications written in Java; likewise, cPanel has some support for Java applications in the form of Apache Solr (full-text email search written in Java) and EasyApache’s version of Apache Tomcat (a web server written in Java).
While Log4j is an Apache Foundation project, it is not directly part of the Apache Web Server software that we make use of on most of our servers. The primary way that this vulnerability could impact us is through one of the few Java applications mentioned above that we do actually make use of.
A vulnerability scan on Pressbooks using the grype vulnerability scanner shows that Pressbooks’ Java dependencies are not impacted by the Log4Shell 0day.
Apache Solr is also another impacted software, but is not run on our servers by default. While we did not check if this version of Apache Solr included Log4j, and if the version of Log4j it may have included was vulnerable, it was nonetheless removed.
Many of our upstream providers may also have been impacted by this 0day, and we will continue to monitor things as needed.
Reclaim Cloud allows users to run a number of applications not supported on LAMP/LEMP type web servers like cPanel servers. Among these are Java applications. For users concerned about their applications being vulnerable, we recommend using the grype vulnerability scanner to scan for such vulnerabilities.
I’m really interested in the safety and security of DoOO. In SUNY, I’m often talking to potential campuses that might utilize our shared infrastruction. Safety and security of a project like DoOO often come up- as you might imagine!
My current talk I give focuses on whose responsibility it is to keep a project secure. I talk about things that Reclaim does, things that are joint responsibilities between Reclaim and the users, and things that only the user can do to make things secure.
Things Reclaim does- I tell them that it is Reclaims responsibility to make sure that the building blocks of our web applications are running safe, regularly updated versions. My example of this is PHP- Reclaim is responsible for regularly updating PHP to the latest version, making new versions available when they come up, and removing old/unsupported versions from the network. They make sure our shared environment is on a safe/supported version of linux and make sure all of those components are updated regularly.
Partnership areas- One of the biggest thing that end users need to do with web applications is update them frequently. To assist our users, Reclaim relies heavily on the Installatron application. By using a tool that can upgrade a web app with a few clicks of the mouse and also alerts users when new versions become available, Reclaim tries to make the upgrade process as easy as possible. Ultimately it is a partnership, because it is on the end user to click the button and upgrade their site, but Reclaim does its best to make it as easy as possible to keep a secure version of WordPress, Omeka, Drupal.
End user responsibilities- We have to educate our end users on is the use of plugins, user roles and management, and safe password policies. Often I pull up Wordfence articles and talk about real-world hacks like the Panama papers, or the recent list of insecure themes and plugins that were causing problems this week. I’m trying to impress upon them that it is a good idea to make sure the plugins you install are actively developed by programmers that can create patches and new versions when issues inevitably happen. I also introduce the idea that when they invite collaborators to work on a site with them, they should consider what role they need on the site, and the idea that giving someone the right sized role on a site is good practice. I then pull up my blog and show them the limit login attempts plugin, and show them that there are random ip addresses testing the top 100 most used passwords on my site all the time, so that password management is very important.
My point in sharing all this with you, is that the kind of information you just shared is very valuable to me. If there were ways you could keep sharing information like that, it would help me as I continue to field these types of questions, and it would also be like professional development for me as you raise our awareness on the types of things you are doing for us.
This is an amazing frame for where that line works. I like the idea of broader education for users, but also the server-level exploits do need to be addressed immediately, and in the case of log4j is a good example.
@bionicteaching Let me know if you got what you need on this. I think the only application we were concerned about that might be vulnerable is Pressbooks given it uses Java, but if you find anything let us know and we are definitely doing the same on our end.
I guess I meandered a little way to get to my point.
Here it is a little more bluntly. I get asked about security all the time. I answer the questions as best as I can. Meredith did a great job explaining what is going on a little bit, but she didn’t do it until she was asked a direct question.
Is there anyway Reclaim can keep us updated on the types of things you are doing at the server level for security without us asking? Both for our professional development and also so we can effectively answer questions from our frazzled sys admins?
Actually, this is something we have been talking about internally just recently, and we are working on more robust communication on a monthly basis. So, in short, there is a way and we are working on it, look for more in the new year, particularly on the infrastructure side of the house, but not exclusively. We will be communicating more directly across all groups at Reclaim, and it is cool to finally have the head space to do this a bit more methodically and programmatically,