A new security vulnerability with the popular Java logging framework Log4j was disclosed to Apache on 24 November 2021 and published on 9 December 2021. More information on the vulnerability is available here.
At Foldr HQ security is our number one priority. We have been reviewing the issue and we have come to the following conclusions:
1. The only component of the Foldr server which uses Java is the Foldr search module (based on Apache Solr). If you are not using Foldr search then this service will not be running so your system will not be affected at all. (As an aside, we usually recommend running Foldr search on a separate, non-public-facing server which does not need internet access.)
2. Foldr search does not directly expose Apache Solr to the internet. All input must be performed by an authenticated user and, once authentication checks have taken place this input is then tokenised by the Foldr server itself before being sent on to Solr.
3. Apache Solr inside Foldr is not configured for query logging.
4. The version of the OpenJDK installed inside Foldr ships with the config variable com.sun.jndi.rmi.object.trustURLCodebase set to false which should prevent any remote code from being downloaded and executed.
In light of the above we do not believe that a Foldr server would be vulnerable to this particular attack.
However, in response to this issue, we pushed out an initial server update on v4.22.1.3 on 13 December 2021 which sets the log4j2.formatMsgNoLookups config variable to true as an additional mitigation step. On 17th December 2021 we released update v4.22.1.5 which replaces the log4j related .jar files in Apache Solr with fully patched versions.