NEWS | DECEMBER 17, 2021
Apache Log4j2 Remote Code Execution (RCE) Vulnerability CVE-2021-44228 | ESA-2021-31 | CVE-2021-45046
A critically rated vulnerability in the widely used Java library Log4j allows attackers to execute arbitrary code. Since the vulnerability can be exploited without explicitly loading malicious code, the German Federal Office for Information Security (BSI) retroactively elevated the Zero-Day vulnerability to the highest warning level red over the weekend (source: Heise).
We have analyzed the threat situation regarding OTOBO and have reached the following preliminary conclusions:
- In the OTOBO application bundle, only Elasticsearch uses Log4j and could therefore potentially be affected.
- According to current statements from Elasticsearch, OTOBO is fundamentally not affected by the major security threats (Remote Code Execution, data leaks).
The central sentence here is: “Supported Versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage (see: Elasticsearch statement). OTOBO uses JDK 16, and Elasticsearch has been at version 7.14+ since its first beta. - In manually set up instances that use Elasticsearch with OpenJDK 8, limited .env data leakage may be possible.
OTOBO Docker Environment
The OTOBO Docker-Compose environment, in our assessment and according to Elasticsearch’s statement, is not affected since Java JDK 16 is in operation there.
Manual OTOBO Installation with Apache2
Elasticsearch 6 and 7 are not vulnerable to Remote Code Execution with this security vulnerability due to the use of the Java Security Manager.
Elasticsearch running under JDK8 or below is susceptible to an information leak via DNS, which can be mitigated by setting the following JVM property: => Set the JVM option Dlog4j2.formatMsgNoLookups=true
Disabling Elasticsearch in OTOBO
If you want to disable Elasticsearch, it is possible at any time without jeopardizing system functionality. Only the Elasticsearch search will not be available for use. The normal search and all other functions will remain fully accessible.
Please proceed as follows:
- Please switch to Admin -> System Configuration and deactivate the option “Elasticsearch::Active”.
- Navigate to -> Web Services and set the web service “Elasticsearch” to invalid.
- Stop the Elasticsearch service.
New Patch with Latest Elasticsearch Version – OTOBO 10.0.14
Although based on all available information, it is unlikely that OTOBO instances with current Elasticsearch components are affected by Log4Shell, we are providing a patch level release with OTOBO 10.0.14, which incorporates the latest Elasticsearch version 7.16.1. This version includes the JVM property by default, and some Log4J components were removed as a precautionary measure (original statement of Elastic).
New Vulnerability CVE-2021-45046
Elastic’s recommendation for Elasticsearch remains unchanged following the discovery of the new security vulnerability. Therefore, nothing changes for OTOBO compared to before.
The original text from Elastic: “Update 15 December A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch, A A and and is20144, and Logstash are unchanged by this new vulnerability.”(source)
About Rother OSS GmbH
Rother OSS GmbH is the owner of the source code for the open-source service management platform OTOBO. We support our customers with consulting, development, support, and managed services during the implementation and operation of OTOBO. With OTOBO, organizations can design their processes more efficiently, increase their employees’ productivity, and improve their service quality – in IT, customer, or enterprise service management. At the same time, they maintain control over their data, reduce risks, and save costs. We are passionate about open source and believe in the benefits of cooperative software development. By releasing OTOBO under the GNU General Public License (GPL v3.0), we want to share our passion for the open-source model with users, particularly a flexible, extensible, and scalable service management platform. Together with customers, partners, developers, and users, we are the OTOBO community. Nothing motivates us more than additional organizations using OTOBO to delight their customers with exceptional service. Every smile counts – every day. While we have been offering services for the precursor to OTOBO, the helpdesk system OTRS, since 2011, the community has had a better alternative available since 2019 with OTOBO, which is 100% open source and remains so. You can find current news about OTOBO on otobo.io or LinkedIn. Follow us!
Press contact
Grit Rother
Tel: +49 9427 68 39 000
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
