The popular cPanel web hosting server control panel software recently issued a patch to fix a critical flaw in the log4j Java library discovered in part of the software used for email. The vulnerability itself is named, Log4Shell.
Log4j Critical Log4Shell Vulnerability
Log4j is a Java library that adds a drop-in functionality to many online software products. For an end user it’s not something they would generally download and use.
It’s a Java library that would be included as part of the software. Because of that, end users aren’t generally aware if the software they use contain the vulnerability.
The log4j vulnerability is rated at 10 on a scale of 1 to 10, with 10 representing the most dangerous level of vulnerability.
The vulnerability was described by a security researcher as catastrophic:
This rather catastrophic vulnerability affects anything that uses log4j to log anything that includes user input. And that means it affects nearly every Java application that accepts input from the Web.
— Wordfence (@wordfence) December 10, 2021
The United States Department of Homeland Security urged fast action:
All organizations should upgrade to Log4j version 2.15.0 or apply appropriate vendor-recommended mitigations immediately.
— Homeland Security (@DHSgov) December 12, 2021
cPanel Web Host Control Panel
cPanel is a control panel that makes it easy for a website operator to manage their website hosting environment.
cPanel offers a graphical user interface (GUI) that looks similar to a desktop interface. It makes it easy perform tasks like update the version of PHP used by websites, control the firewall and add a security certificate, among many things.
According to the business intelligence company BuiltWith, there are over three million customers who use cPanel.
United States Government Statement on Log4Shell Vulnerability
The United States government Cybersecurity and Infrastructure Security Agency (CISA) issued a statement on Saturday Novemember 11, 2021 urging software developers and vendors that use the log4j library in their products to immediately patch their products and for the vendors to notify customers.
The Director of CISA, Jen Easterly, wrote:
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library.
…End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.
Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
The statement says that the Joint Cyber Defense Collaborative, National Security Agency and the FBI are also coordinating their proactive stance toward creating awareness of the problem and mitigating vulnerabilities.
The statement adds:
“We continue to urge all organizations to review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.
To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
cPanel Plugin Log4Shell Vulnerability
The vulnerable Log4j Java library was discovered in an essential cPanel plugin called cPanel Dovecot Solr plugin.
The plugin is an essential component of the IMAP email protocol.
cPanel describes it as:
“The cPanel Solr plugin enables Internet Message Access Protocol (IMAP) Full-Text Search (FTS) Indexing (powered by Apache Solr™), which provides fast search capabilities for IMAP mailboxes.”
An official cPanel forum discussion was among the first to identify that cPanel contained the log4j library and therefore may pose a security risk.
Within hours a cPanel technical analyst announced that a patch has been released.
“We have published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM.
Obtaining the Mitigation for CVE-2021-44228
You can run a cPanel Update which will update the cpanel-dovecot-solr RPM for you:
How to update cPanel/WHM”
If you previously uninstalled cPanel Solr, you may install it again with the steps in this guide
How to Install cPanel Solr“