Totara Learn Open Discussions

Log4Shell Exploit

 
Paul Lowndes
Log4Shell Exploit
par Paul Lowndes, Wednesday 15 December 2021, 01:27
Groupe Most Helpful Contributor 2021

I've been asked to report back on the action we are taking to guard against this: 


Does anyone know how this might Torara (if at all) and what steps they are taking?

Thanks
Paul


Phil Williscroft
Re: Log4Shell Exploit
par Phil Williscroft, Wednesday 15 December 2021, 12:47
Phil Williscroft
Re: Log4Shell Exploit
par Phil Williscroft, Wednesday 15 December 2021, 13:46
 

Sorry Paul I just realized that the post I re-shared was in a partner only forum.  Here is the text.


Apache Log4j 2 security vulnerability CVE-2021-44228
by Sam Hemelryk - Tuesday, 14 December 2021, 1:35 PM


On December 9, 2021 a security vulnerability CVE-2021-44228 was publicly disclosed for the widely used Apache Log4j 2 application.

Totara Learning is aware of this vulnerability and has completed a preliminary assessment.

Totara Learning Solutions does not use Java and are therefore not exposed to this vulnerability.

Log4j is a Java based logging application. Totara is written in PHP, a completely different language. It does not directly use, nor integrate with log4j.

Having reviewed the plugins provided with Totara, there is a single plugin that relies upon a Java solution: the Solr global search integration.

Solr

After running tests on the default Solr setup with Totara Learn we do not believe the log4j vulnerability is exploitable through Totara.

We still strongly recommend that Solr is upgraded to secure version in order to ensure the environment is secure.
The latest versions of Solr have now being tested with Totara Learn and we can confirm are working.

Totara Social and ElasticSearch

It has come to our attention the ElasticSearch is vulnerable to the log4j vulnerability.
Totara Social can be optionally configured to use ElasticSearch. It requires version 5.6.x which makes use of log4j 2.
In testing we have not being able to exploit the vulnerability through Totara Social.

If you have any concerns that your site may be using Solr or is using Totara Social please speak to your partner.

Paul Lowndes
Re: Log4Shell Exploit
par Paul Lowndes, Thursday 16 December 2021, 03:07
Groupe Most Helpful Contributor 2021

Hi Phil


Perfect ! Thanks for this comprehensive answer.

I appreciate your response.

Thanks
Paul