Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE

Elastic Stack Elasticsearch
1

Hi ,
We have recently receive security vulnerabilities related to Log4j , as solution proposed is to Upgrade to Apache Log4j version 2.17.1, 2.12.4, or 2.3.2 or later.
Could you please confirm if there is a patch to install in order to fix this vulnerabilities , or is it mandatory to upgrade the version of ELK , the versions we have for the ELK cluster are

kibana_version: '7.15.1'

elasticsearch_version: '7.15.1'

logstash_version: '7.15.1'

securityplugin_version: '1.42.0'

securityplugin_version_kibana: '1.42.0'

Thanks

2

You should upgrade to 7.17

3

Thanks foryour answer , for the pluging readonly rest should we also upgrade it or juste the ELK cluster which must be upgrade

4

I have no idea for 3rd party plugins. You should ask them.

5

ok thank you for your reply

6

We also have on elasticsearch serveurs the vulnerability :

151209 (4) - OpenJDK 7 <= 7u281 / 8 <= 8u272 / 11.0.0 <= 11.0.9 / 13.0.0 <= 13.0.5 / 15.0.0 <= 15.0.1
Vulnerability (2021-01-19)

The solution proposed is to upgrade Upgrade to an OpenJDK version greater than 7u281 / 8u272 / 11.0.9 / 13.0.5 / 15.0.1

And on the Kibana , elasticsearch and logstash servers we have also the vulnerability :
Oracle Java SE Multiple Vulnerabilities

Proposing as solution to apply the appropriate patch according to the January 2023 Oracle Critical Patch Update advisory.

Is the upgrade of ELK should fix those vulnerabilities , otherwise is there any patch for the last one of oracle.

Thanks for help

7

As noted earlier, upgrade to at least version 7.17.8. I believe this comes with a considerable more recent JVM bundled.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.