Bug in Log4j mitigation steps in Logstash 5.x

There's an excellent article on Logstash remediation to protect against Log4jshell vulnerability - Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation.

However, the steps suggested for Logstash 5.x don't seem to work, especially when using remove_backup_jndi_lookup.rb.

Trying to run the the remove_backup_jndi_lookup.rb as suggested in the link throws an error on Logstash 5.x nodes. For e.g. assuming the script is located at /root/remove_backup_jndi_lookup.rb

$ vendor/jruby/bin/ruby /root/remove_backup_jndi_lookup.rb
-bash: vendor/jruby/bin/ruby: No such file or directory

$ bin/ruby /root/remove_backup_jndi_lookup.rb
LoadError: no such file to load -- zip
  require at org/jruby/RubyKernel.java:1040
  require at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:54
   (root) at /root/remove_backup_jndi_lookup.rb:7

It'd be useful if you could show why you believe it's not working.

But, to be clear, 5.X has been EOL for years now, and is no longer supported.

1 Like

@sandeepkanabar

Perhaps it was just a typo but The article you linked to is for remediation for elasticsearch.

The correct article for a remediation of logstash 5.x is this

1 Like
  • On Logstash 5.x.x run
    vendor/jruby/bin/ruby /tmp/remove_jndi_lookup.rb

There's an accidental typo and it should be vendor/jruby/bin/jruby. i.e. instead of ruby it should be jruby.

Fixing this throws another error:

$ vendor/jruby/bin/jruby /root/remove_backup_jndi_lookup.rb
LoadError: no such file to load -- zip
  require at org/jruby/RubyKernel.java:1040
  require at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:54
   (root) at /root/remove_backup_jndi_lookup.rb:7

or using bin/ruby

$ bin/ruby /root/remove_backup_jndi_lookup.rb
LoadError: no such file to load -- zip
  require at org/jruby/RubyKernel.java:1040
  require at /usr/share/logstash/vendor/jruby/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:54
   (root) at /root/remove_backup_jndi_lookup.rb:7

From /usr/share/logstash dir,

The solution is to set export GEM_HOME=./vendor/bundle/jruby/1.9 after deleting jar_backup/ directory and then run
vendor/jruby/bin/jruby /<path_to_ruby_script>/remove_backup_jndi_lookup.rb
OR
bin/ruby /<path_to_ruby_script>/remove_backup_jndi_lookup.rb and it should complete successfully.

Thanks Stephen. Accidentally linked wrong article. Corrected it.

Thanks Mark. Updated the question with exact error message and also suggested a possible solution.

Agree, it's EOL. But well, customers :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.