The popular cPanel web hosting server control panel software recently issued a patch to fix a critical flaw in the log4j Java library discovered in part of the software used for email. The vulnerability itself is named, Log4Shell.
Log4j Critical Log4Shell Vulnerability
Log4j is a Java library that adds a drop-in functionality to many online software products. For an end user it’s not something they would generally download and use.
It’s a Java library that would be included as part of the software. Because of that, end users aren’t generally aware if the software they use contain the vulnerability.
The log4j vulnerability is rated at 10 on a scale of 1 to 10, with 10 representing the most dangerous level of vulnerability.
The vulnerability was described by a security researcher as catastrophic:
This rather catastrophic vulnerability affects anything that uses log4j to log anything that includes user input. And that means it affects nearly every Java application that accepts input from the Web.
— Wordfence (@wordfence) December 10, 2021
Continue Reading Below
The United States Department of Homeland Security urged fast action:
All organizations should upgrade to Log4j version 2.15.0 or apply appropriate vendor-recommended mitigations immediately.
— Homeland Security (@DHSgov) December 12, 2021
cPanel Web Host Control Panel
cPanel is a control panel that makes it easy for a website operator to manage their website hosting environment.
cPanel offers a graphical user interface (GUI) that looks similar to a desktop interface. It makes it easy perform tasks like update the version of PHP used by websites, control the firewall and add a security certificate, among many things.
According to the business intelligence company BuiltWith, there are over three million customers who use cPanel.
United States Government Statement on Log4Shell Vulnerability
The United States government Cybersecurity and Infrastructure Security Agency (CISA) issued a statement on Saturday Novemember 11, 2021 urging software developers and vendors that use the log4j library in their products to immediately patch their products and for the vendors to notify customers.
Continue Reading Below
The Director of CISA, Jen Easterly, wrote:
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library.
…End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.
Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
The statement says that the Joint Cyber Defense Collaborative, National Security Agency and the FBI are also coordinating their proactive stance toward creating awareness of the problem and mitigating vulnerabilities.
The statement adds:
“We continue to urge all organizations to review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.
To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
cPanel Plugin Log4Shell Vulnerability
The vulnerable Log4j Java library was discovered in an essential cPanel plugin called cPanel Dovecot Solr plugin.
The plugin is an essential component of the IMAP email protocol.
cPanel describes it as:
“The cPanel Solr plugin enables Internet Message Access Protocol (IMAP) Full-Text Search (FTS) Indexing (powered by Apache Solr™), which provides fast search capabilities for IMAP mailboxes.”
An official cPanel forum discussion was among the first to identify that cPanel contained the log4j library and therefore may pose a security risk.
Within hours a cPanel technical analyst announced that a patch has been released.
“We have published an update with the mitigation for CVE-2021-44228 to the cpanel-dovecot-solr RPM.
Obtaining the Mitigation for CVE-2021-44228
You can run a cPanel Update which will update the cpanel-dovecot-solr RPM for you:
How to update cPanel/WHM”
If you previously uninstalled cPanel Solr, you may install it again with the steps in this guide
How to Install cPanel Solr“
Continue Reading Below
cPanel Forum Discussion
United States Government Statement
Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster
Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.
Google December 2021 Product Reviews Update
On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.
Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021
The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.
A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:
“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”
Continue Reading Below
Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.
The first best practice was a requirement of evidence that a product was actually handled and reviewed.
The second best practice was to provide links to more than one place that a user could purchase the product.
The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.
Google’s Mueller Thinking About Product Reviews Update
Product Review Update Targets More Languages?
The person asking the question was rightly under the impression that the product review update only affected English language search results.
Continue Reading Below
But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.
This is his question:
“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”
John Mueller answered:
“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”
Does Product Reviews Update Affect More Languages?
While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.
Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.
One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.
It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.
Google Blog Post About Product Reviews Update
Google’s New Product Reviews Guidelines
John Mueller Discusses If Product Reviews Update Is Global
Watch Mueller answer the question at the 14:00 Minute Mark