Is Emby vulnerable to the Log4j exploit?

[skullitor13 1]

There is a new Log4j exploit that seems like a big deal.  Does Emby use Log4j? If so is it vaunerable?

Here is a link to the CVE https://nvd.nist.gov/vuln/detail/CVE-2021-44228 

[Touz604 11]

I'm also concerned by this. I'll shut down external access until we get an official response from the dev team.

[maegibbons 1287]

I've also locked all the doors and pulled up the bed covers really tight!

 

Krs

 

Mark

[bijon 1]

Also waiting on the answer. Shut down my Emby server in the mean time.

[crusher11 1102]

Is there a way to take the server as a whole offline, or do you need to disable remote access on a a user by user basis? 

[bijon 1]

8 minutes ago, crusher11 said:

Is there a way to take the server as a whole offline, or do you need to disable remote access on a a user by user basis? 

In my case my Emby server is a Linux container so I just shutdown the container. I don't have any experience with other Emby server types.

[crusher11 1102]

Right but there's no need to kill the entire server just to get it offline, right? 

[runtimesandbox 171]

Also keen to know this, doke previous forum posts hint at log4j usage but it's not clear.

@Lukeplease can you provide an update on this? This is a very serious vuln that is trivial to exploit.

 

[GrimReaper 4745]

4 hours ago, crusher11 said:

Is there a way to take the server as a whole offline, or do you need to disable remote access on a a user by user basis? 

[Luke 42082]

No, Emby does not use log4j.

[runtimesandbox 171]

9 hours ago, Luke said:

No, Emby does not use log4j.

Thanks for the confirmation Luke!

[Carlo 4561]

Even if Emby had used that package it would not be a vulnerability unless you also happened to use the LDAP plugin and didn't have your LDAP protected properly.
Likely the way Emby is implemented it would never be that kind of problem anyway as you would not be able to pass information to it.

So for all the reasons mentioned it's not a concern.

Worth mentioning. As far as security is concerned the best thing you can do is review your router/firewall and make sure UPnP is off, that no DMZ is on, that any port forwards are ones you have specifically set and control.  Make sure any hosts being pointed to by port forwarding have static IPs or static DHCP leases so the IP doesn't change.

Turn on firewalls on every computer/device you have in the house and review their settings.  

If you have the ability to use VLANs either in software or emulated using an old router one of the best things you can do is put all IoT devices on a separate network not allowing them to to access your internal network except for specific ports or IPs.

Installing and using Pi hole or Ad Guard as your local DNS server goes a long way as they will block ad malware domains and ad sites (good in general) that carry this kind of code (Ransomware, Phishing, Spyware, Virus, Malware).

If you can't or don't know how to set either of those up then changing the 2 DNS entries in your home router can accomplish a lot.  This will give new DNS server entries to any client on your network as part of the DHCP renewal.  Changing the DNS entries to:

Cloudflare's Introducing 1.1.1.1 for Families
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
Malware Blocking Only
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2

Malware and Adult Content
Primary DNS: 1.1.1.3
Secondary DNS: 1.0.0.3

https://www.quad9.net/
9.9.9.9 and 149.112.112.112

https://www.comodo.com/secure-dns/
8.26.56.26 and 8.20.247.20

https://help.dyn.com/dyn-internet-guide/
216.146.35.35 and 216.146.36.36

https://signup.opendns.com/homefree/
OpenDNS Home
Customizable with web interface

Pi Hole or Ad guard by far give you the most control locally. But any of these solutions is DNS based and doesn't require any software to be installed. They simply don't return an IP to a domain name for suspect/filtered sites.

Cloudflare DNS servers will probably be faster with malware filtering then your local upstream ISP DNS servers anyway so it's win/win with that one even using in combination with Pi hole or Adguard.