log4j - official statement from nextcloud?

[hj-beckers]

Will there be an official statement from nextcloud? My employer insists on a statement that nextcloud is not affected by the log4j-problem.

[DanScharon]

log4j is a Java library. Nextcloud is written in PHP and JavaScript and I do not know of any other Nextcloud component that is written in Java. Maybe you use a Nextcloud App that depends on a Java application, but then again, that is not part of Nextcloud itself.

[solracsf]

This is out of scope; asking if a PHP application is affected by a Java (not Javascript) problem is the same than asking if your car engine problem will affect your bicycle. 😜

Perhaps, if you have any plugins that may employ Java (thinking about OnlyOffice SERVER : https://github.com/search?q=org%3AONLYOFFICE+log4j&type=code) than you may contact the respective editors.

But just to be clear here; the default OnlyOffice Documentserver should NOT be affected as log4j is not used in that specific product.

More info here too: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

[LogSpider]

Out of scope? You are out of scope. Pay Attention. Nextcloud is affected when you have Installed Apps like Fulltext Search. Elastic Search or Apache Solr. Its simple, connect to your Instance and check your Filesystem.

locate .jar | grep log4j
/home/ncadmin/solr_install/solr-6.6.2/server/lib/ext/log4j-1.2.17.jar
/home/ncadmin/solr_install/solr-6.6.2/server/lib/ext/slf4j-log4j12-1.7.7.jar
/opt/solr-6.6.2/licenses/log4j-1.2.17.jar.sha1
/opt/solr-6.6.2/licenses/slf4j-log4j12-1.7.7.jar.sha1
/opt/solr-6.6.2/server/lib/ext/log4j-1.2.17.jar
/opt/solr-6.6.2/server/lib/ext/slf4j-log4j12-1.7.7.jar
/usr/share/elasticsearch/lib/log4j-1.2-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
/usr/share/elasticsearch/modules/x-pack-security/log4j-slf4j-impl-2.11.1.jar

[wiswedel]

Nextcloud would do good by getting off their high horses and explaining to the normal human what they can do and should do.
Not a single statement after 3 days of fire makes me feel pretty left alone.

[szaimen]

See https://help.nextcloud.com/t/apache-log4j-does-not-affect-nextcloud/129244/2

[shalien]

Out of scope? You are out of scope. Pay Attention. Nextcloud is affected when you have Installed Apps like Fulltext Search. Elastic Search or Apache Solr. Its simple, connect to your Instance and check your Filesystem.

locate .jar | grep log4j
/home/ncadmin/solr_install/solr-6.6.2/server/lib/ext/log4j-1.2.17.jar
/home/ncadmin/solr_install/solr-6.6.2/server/lib/ext/slf4j-log4j12-1.7.7.jar
/opt/solr-6.6.2/licenses/log4j-1.2.17.jar.sha1
/opt/solr-6.6.2/licenses/slf4j-log4j12-1.7.7.jar.sha1
/opt/solr-6.6.2/server/lib/ext/log4j-1.2.17.jar
/opt/solr-6.6.2/server/lib/ext/slf4j-log4j12-1.7.7.jar
/usr/share/elasticsearch/lib/log4j-1.2-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
/usr/share/elasticsearch/modules/x-pack-security/log4j-slf4j-impl-2.11.1.jar

Affected when a specific 3rd party component is isntalled. ...

[LogSpider]

It's very simple, if someone wrote here the core application without additional apps or service is not affected, I would have accepted that, instead comparisons are made here with cars and bicycles ...

you wrote, affected when a specific 3rd party component is isntalled yes, exactly, correct, as i already wrote...

I also make unprofessional comparisons with cars now, if you drive a bomb for a walk in your car and it explodes, is your car affected or not?

so please