This article will list the most frequently asked questions related to the Log4j flaw.
Please select a question from the list below for more information:
What is the Log4j flaw?
In December 2021, cybersecurity researchers highlighted an industry-wide vulnerability within the Apache Log4j component: CVE-2021-44228.
Although we have taken the necessary steps and have patched our managed products (i.e. cPanel Hosting, Premium Hosting), this vulnerability may affect Java-based applications within unmanaged products such as Dedicated Hosting and VPS.
What actions do I need to perform?
If you don’t have any Java-based applications on your server, then you won’t need to take any actions. Furthermore, Plesk and WHM/cPanel software that is provisioned with our Virtual Private Servers will not be affected by this vulnerability, since the affected components are not installed by default.
If, however, you do have any Java-based applications that use the Log4j utility, or if you have manually installed the ‘cpanel-dovecot-solr’ plugin into your cPanel software, you will need to update Log4j within your VPS and/or Dedicated Server package to version 2.16.0 as soon as possible. Since these are unmanaged services, you will be responsible for its security patches. You can download the latest version of Log4j from Apache’s website.
If you have any of the following products with us, then you won’t need to perform any actions:
- cPanel Hosting
- Premium Hosting
- WordPress Hosting
How can I tell what version of Log4j I have?
You can verify what version of Log4j you’re running by using tools such as syft and grype, both of which can be downloaded from GitHub.
I need further guidance – what should I do?
If you need assistance or have any further questions, please visit the official Security Vulnerabilities page on Apache’s website.