CVE-2021-44228 aka log4shell is logstash and/or elasticsearch affected?

jzandbergen · December 10, 2021, 11:07am

Hi All,

I was wondering if logstash and/or Elasticsearch is affected by this CVE?
More information about this zeroday can be found here: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

I'm not too sure whether or not we're affected so in the meantime we've shutdown all our logstash instances.

Cheers!

rcowart · December 10, 2021, 11:24am

I just came here to ask the same question. Another link with details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

esorek · December 10, 2021, 11:52am

Same question as well. Please elaborate the list affected and not affected versions

jzandbergen · December 10, 2021, 2:00pm

Here I see that a version of Elasticsearch seems to be affected GitHub - YfryTchsGD/Log4jAttackSurface .

esorek · December 10, 2021, 2:23pm

Not sure it is clear to me and I follow which Elasticsearch versions are affected and which are not.

inazo · December 10, 2021, 2:38pm

Search on your host which version are used by Elasticsearch mine is log4j-api-2.11.1.jar what are locate to : /usr/share/Elasticsearch/lib/log4j-api-2.11.1.jar

You can add this : -Dlog4j2.formatMsgNoLookups=true

At the end of /etc/Elasticsearch/jvm.options file, for waiting update to 2.15.0 of log4j2

hocho · December 10, 2021, 3:07pm

Is it not enough to add log4j.formatMsgNoLookup = true in /etc/elasticsearch/log4j2.properties?

prprt · December 10, 2021, 5:10pm

Has anyone from Elastic confirmed these methods?

BenB196 · December 10, 2021, 5:19pm

Just an FYI; bump log4j version to 2.15.0 by jsvd · Pull Request #13494 · elastic/logstash (github.com) was just merged, so looks like logstash 7.16.1 will contain the new fixed version.

warkolm · December 10, 2021, 10:22pm

Please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31.

We will be making more announcements as details become clearer.

Jamshid · December 12, 2021, 4:32pm

@hocho where have you seen that this can be specified in log4j2.properties? I don't think it can, it must be a system property specified on the jvm command line e.g. in jvm.options as -Dlog4j2.formatMsgNoLookups=true.

mouarg · December 13, 2021, 1:42am

k: [xxxx.xxx-oob] => {

"response.stdout_lines": [

    "/opt/xxx/xxx/elasticsearch7_2.0.6-es7.9.3_1/data/config/log4j2.properties",

    "/opt/xxx/xxx/elasticsearch_1.1.55.2-es5.6.8-2_0/data/config/log4j2.properties"

]

Do i need to be worried with these versions of Elasticsearch?

Thanks

MChat · December 13, 2021, 6:20pm

As per Solutions and Mitigations for Logstash on Elastic security announcement - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 , suggests removing JndiLookup class from log4J-core-2* .

Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 or 7.16.1 once they are released (expected Monday 13th December). These releases will replace vulnerable versions of Log4j with Log4j 2.15.0.

The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect. It is therefore necessary to remove the JndiLookup class from the log4j2 core jar, with the following command:

zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

Please note that a restart of the Logstash process is necessary for the change to take effect.

Does it apply to Logstash running on JDK 8u302 with JVM argument, "-Dlog4j2.formatMsgNoLookups=true" without updating log4j-core v2.15 ? This blog Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec says -

JDK versions greater than 6u211 , 7u201 , 8u191 , and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

kasune · December 14, 2021, 10:31am

As per announcement ,
Logstash
Exposure to remote code execution on JDKs prior to 8u191. On newer versions of JDKs there is exposure to Denial of Service and information leakage. Requires JndiLookup class removal or update to Logstash version 6.8.21 or 7.16.1 when released on December 13th. Additional details below.

Is this means we do not need to update to new versions(6.8.21,7.16.1) if we can update java version and removal of JndiLookup class?
I am asking this as we are using ES 5.5.0 with Logstash5.50. If we need to update the logstash to newer version we need to update ES to 6.x.x. And our ES cluster is in TBs.

Ravi_GH · December 15, 2021, 6:22am

With respect to "Incomplete fix for Apache Log4j vulnerability" @ Incomplete fix for Apache Log4j vulnerability · CVE-2021-45046 · GitHub Advisory Database · GitHub

Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )
Q2) As per info "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" . What is the recommendation to mitigate this DoS attack?

system · January 12, 2022, 6:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.