I've been asked to report back on the action we are taking to guard against this:
Does anyone know how this might Torara (if at all) and what steps they are taking?
Thanks
Paul
Totara Learn Open Discussions
Log4Shell Exploit
Log4Shell Exploit
Re: Log4Shell Exploit
Sorry Paul I just realized that the post I re-shared was in a partner only forum. Here is the text.
Apache Log4j 2 security vulnerability CVE-2021-44228
by Sam Hemelryk - Tuesday, 14 December 2021, 1:35 PM
On December 9, 2021 a security vulnerability CVE-2021-44228 was publicly disclosed for the widely used Apache Log4j 2 application.
Totara Learning is aware of this vulnerability and has completed a preliminary assessment.
Totara Learning Solutions does not use Java and are therefore not exposed to this vulnerability.
Log4j is a Java based logging application. Totara is written in PHP, a completely different language. It does not directly use, nor integrate with log4j.
Having reviewed the plugins provided with Totara, there is a single plugin that relies upon a Java solution: the Solr global search integration.
Solr
After running tests on the default Solr setup with Totara Learn we do not believe the log4j vulnerability is exploitable through Totara.
We still strongly recommend that Solr is upgraded to secure version in order to ensure the environment is secure.
The latest versions of Solr have now being tested with Totara Learn and we can confirm are working.
Totara Social and ElasticSearch
It has come to our attention the ElasticSearch is vulnerable to the log4j vulnerability.
Totara Social can be optionally configured to use ElasticSearch. It requires version 5.6.x which makes use of log4j 2.
In testing we have not being able to exploit the vulnerability through Totara Social.
If you have any concerns that your site may be using Solr or is using Totara Social please speak to your partner.
Re: Log4Shell Exploit
Hi Phil
Perfect ! Thanks for this comprehensive answer.
I appreciate your response.
Thanks
Paul