Apache log4j security bulletin: Stay safe with ONLYOFFICE

Read this post to be aware of the recently disclosed security issue related to the open-source Apache log4j library (CVE-2021-44228).

ONLYOFFICE Docs

ONLYOFFICE Docs (Document Server) doesn’t use the log4j library and that’s why is not affected by the important security issue in log4j. This applies for all installation types of the editors.

ONLYOFFICE Document Server uses a JavaScript library called log4js. This is a different framework specially created to work with Node.js. It is already verified that log4js does not have the mentioned issue.

ONLYOFFICE Workspace in the cloud

ONLYOFFICE Workspace in the cloud (Cloud Service) doesn’t use the log4j library, so it isn’t affected by the log4j security issue.

Elasticsearch service implemented in ONLYOFFICE Workspace in the cloud was already updated by Amazon Web Services and is not affected by this issue either.

Please note: some regions may still be under the updating process.

ONLYOFFICE Personal

ONLYOFFICE Personal doesn’t use the log4j library and is no way affected by the vulnerability in log4j.

ONLYOFFICE Workspace

Self-hosted ONLYOFFICE Workspace doesn’t use log4j, so its code is not affected by the mentioned security issue.

However, ONLYOFFICE Workspace provides the implemented Elasticsearch service for full-text search and indexing which is affected by the vulnerability.

To fully protect your ONLYOFFICE Workspace against the security issue in log4j, please check the official recommendations from Elasticsearch and follow our instructions.

For Docker

1. Get SSH access to ONLYOFFICE Community Server. Usually, you can do it with the following command:

docker exec -it onlyoffice-community-server /bin/bash

2. Edit the /etc/elasticsearch/jvm.options file by adding the following line:

-Dlog4j2.formatMsgNoLookups=true

3. Restart ONLYOFFICE Community Server:

docker stop onlyoffice-community-server

docker start onlyoffice-community-server

Please note: execute these commands from the host system and NOT inside the Docker container.

For CentOS/Debian

1. Edit the/etc/elasticsearch/jvm.options file by adding the following line:

-Dlog4j2.formatMsgNoLookups=true

2. Restart Elasticsearch:

systemctl restart elasticsearch

For Windows

1. Get access to ONLYOFFICE Community Server.

2. Edit the %programdata%\Elastic\Elasticsearch\config\jvm.optionsfile by adding the following line:

-Dlog4j2.formatMsgNoLookups=true

3. Restart the service: Elasticsearch

Questions left?

Please don’t hesitate to contact our support team or reach out to us on forum if you have any additional questions.