Read this post to be aware of the recently disclosed security issue related to the open-source Apache log4j library (CVE-2021-44228).
ONLYOFFICE Docs (Document Server) doesn’t use the log4j library and that’s why is not affected by the important security issue in log4j. This applies for all installation types of the editors.
ONLYOFFICE Workspace in the cloud (Cloud Service) doesn’t use the log4j library, so it isn’t affected by the log4j security issue.
Elasticsearch service implemented in ONLYOFFICE Workspace in the cloud was already updated by Amazon Web Services and is not affected by this issue either.
Please note: some regions may still be under the updating process.
ONLYOFFICE Personal doesn’t use the log4j library and is no way affected by the vulnerability in log4j.
Self-hosted ONLYOFFICE Workspace doesn’t use log4j, so its code is not affected by the mentioned security issue.
However, ONLYOFFICE Workspace provides the implemented Elasticsearch service for full-text search and indexing which is affected by the vulnerability.
To fully protect your ONLYOFFICE Workspace against the security issue in log4j, please check the official recommendations from Elasticsearch and follow our instructions.
1. Get SSH access to ONLYOFFICE Community Server. Usually, you can do it with the following command:
docker exec -it onlyoffice-community-server /bin/bash
2. Edit the /etc/elasticsearch/jvm.options file by adding the following line:
3. Restart ONLYOFFICE Community Server:
docker stop onlyoffice-community-server
docker start onlyoffice-community-server
Please note: execute these commands from the host system and NOT inside the Docker container.
1. Edit the/etc/elasticsearch/jvm.options file by adding the following line:
2. Restart Elasticsearch:
systemctl restart elasticsearch
1. Get access to ONLYOFFICE Community Server.
2. Edit the %programdata%\Elastic\Elasticsearch\config\jvm.optionsfile by adding the following line:
3. Restart the service: