CVE-2021-4104 : is Libreoffice-5.3.6 vulnerable?

Hi team,

The installed LibreOffice version in our servers is 5.3.6. Our servers are in RHEL 7. We identified this specific LibreOffice version uses the log4j-1.2.x (log4j-1.2.17 is installed along with the LibreOffice).

We would like to know whether this Libreoffice version is vulnerable to the CVE-2021-4104 or not?

We are using LibreOffice with default settings.

Vulnerability: NVD - CVE-2021-4104


1 Like

We have a bit older version of Libreoffice.(5.3.6). This is the latest Libreoffice version that comes from RHEL 7 repos. Need to know the impact on this specific version since log4j is installed as a dependency.

If you read the topic robleyd pointed to it mentions HSQLDB (the embedded database engine of the Base module) has the possibility to use log4j, so inspect if you’re actually using that and how.

Apart from that, if you don’t use Base at all you should upgrade from that very old version 5.3.6 you use nevertheless. Even if the old RHEL-7 repositories don’t offer any newer, there’s the possibility to use RPM packaged builds provided by TDF on the download page (or older versions from the archive, like 6.4.7 or 7.0.6). A how-to is available there (for CentOS 8 but it’s basically the same).

Hi @erAck

Thank you for the information.
That means this issue can occur only if the Base module is installed/used (Only the base module uses log4j) ?

Best Regards

Base does not use log4j per se, but HSQLDB has the possibility to use log4j. Whether it does or not in your environment you’d need to find out. If you didn’t configure it (don’t ask me how) then likely it doesn’t. LibreOffice itself does not use log4j.

Even if you use Base with HSQL and install the log4j software, it would require some extra work to make your system vulnerable. LibreOffice has no connection to log4j but there is a third-party component delivered with LO which has the potential to interact with log4j if you are able to set up the configuration.

1 Like