Search on your host which version are used by Elasticsearch mine is log4j-api-2.11.1.jar what are locate to : /usr/share/Elasticsearch/lib/log4j-api-2.11.1.jar
You can add this : -Dlog4j2.formatMsgNoLookups=true
At the end of /etc/Elasticsearch/jvm.options file, for waiting update to 2.15.0 of log4j2
@hocho where have you seen that this can be specified in log4j2.properties? I don't think it can, it must be a system property specified on the jvm command line e.g. in jvm.options as -Dlog4j2.formatMsgNoLookups=true.
Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 or 7.16.1 once they are released (expected Monday 13th December). These releases will replace vulnerable versions of Log4j with Log4j 2.15.0.
The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect. It is therefore necessary to remove the JndiLookup class from the log4j2 core jar, with the following command:
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Please note that a restart of the Logstash process is necessary for the change to take effect.
JDK versions greater than 6u211 , 7u201 , 8u191 , and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.
As per announcement , Logstash
Exposure to remote code execution on JDKs prior to 8u191. On newer versions of JDKs there is exposure to Denial of Service and information leakage. Requires JndiLookup class removal or update to Logstash version 6.8.21 or 7.16.1 when released on December 13th. Additional details below.
Is this means we do not need to update to new versions(6.8.21,7.16.1) if we can update java version and removal of JndiLookup class?
I am asking this as we are using ES 5.5.0 with Logstash5.50. If we need to update the logstash to newer version we need to update ES to 6.x.x. And our ES cluster is in TBs.
Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )
Q2) As per info "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" . What is the recommendation to mitigate this DoS attack?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.