log4j Vulnerability

[smseidl]

Has anyone reviewed this for any log4j (CVE-2021-44228) vulnerability risk? I haven't had time fighting this at work and was surprised there was nothing out here yet.

[siancu]

paperless-ng is written in python (backend) and typescript (frontend) and not in java, thus is not vulnerable to this particular thing.

[denilsonsa]

Although paperless itself is written in Python, it has an optional dependency on Apache Tika to support office documents. Thus, the log4j vulnerability question is somewhat relevant.

I know nothing about Apache Tika, I have no idea if it uses log4j or if it could be exploited.

[mpfl]

A cursory investigation shows that tika does use log4j, and the issue is being tracked on the Apache issue tracker.

That being said, it's only a security issue if someone can get access to your tika instance. If your tika instance is exposed to the Internet, you've got bigger problems.

The default docker-compose.yml does not expose tika, so bad actors would need to get access to it via other systems you have exposed to the Internet.

[smseidl]

Thanks for looking into it. Based on your finding, we probably should create an issue to update the docker-compose.yml & documentation once Apache publishes and update?

[mpfl]

The example docker-compose.yml files are already as good as they can be - they do not expose anything from tika.

They also do not specify a version for tika, so as soon as a new tika container is on dockerhub, a docker-compose down && docker-compose pull && docker-compose up -d will update the container to the latest version of the image.

There are a number of utilities that monitor container image versions and provide notifications. My current favourite is diun.

Edit: It's docker-compose not docker.

[smseidl]

Good points.... that's why I figured I'd ask others. I'm still fairly new in this docker world. I'll take a look at diun at a later date.