Good afternoon, everyone!
A few people have asked me about Manifold’s susceptibility to critical log4j2 vulnerability (CVE-2021-44228) that was announced last week.
So far, we haven’t seen evidence that Manifold is vulnerable to this exploit. Manifold relies on Elasticsearch for its search functionality, and Elasticsearch in turn uses the vulnerable log4j logging library. The version that ships with Manifold is vulnerable, but that doesn’t necessarily mean that the vulnerability can be easily exploited. Manifold does not expose its Elasticsearch service to the public, and all connections to it are mediated through the API. We’ve investigated, and it’s our view that no user input from a public Manifold instance can make its way into log4j logs, which means that Manifold does not appear to be vulnerable. Furthermore, the Elasticsearch team claims that version 7, which is what is in the Manifold package, is not susceptible to remote code execution.
That said, it pays to be especially cautious in these matters, and we’re working on 6.0.1 packages that will include updates to Elasticsearch and log4j. As of earlier this morning, we were still waiting on Elasticsearch 7.16.1 to be released, and it will take us a few days to build and test new packages. I expect we’ll release 6.0.1 on Tuesday or Wednesday of this week, which will be an easy upgrade for everyone already on v6. It should also be easy for people on v5, as we haven’t had any significant reports of upgrade problems.
If you installed Manifold from one of our packages (for Ubuntu or CentOS), you can easily mitigate the problem by adding one line to a file and restarting Elasticsearch. To do this, follow these steps:
- Shell into your server and edit
- Add this text on a new line at the end of the file and save it:
- Restart Elasticsearch to pick up the new configuration:
sudo manifold-ctl restart elasticsearch
If you are hosting Manifold through Manifold Digital Services, rest assured that we will be releasing a similar mitigation in the next couple hours to all instances.
We will also publish updated docker images when 6.0.1 is released later this week.