CVE-2021-44228 aka log4shell is logstash and/or elasticsearch affected?

Hi All,

I was wondering if logstash and/or Elasticsearch is affected by this CVE?
More information about this zeroday can be found here: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

I'm not too sure whether or not we're affected so in the meantime we've shutdown all our logstash instances.

Cheers!

4 Likes

I just came here to ask the same question. Another link with details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

3 Likes

Same question as well. Please elaborate the list affected and not affected versions

Here I see that a version of Elasticsearch seems to be affected GitHub - YfryTchsGD/Log4jAttackSurface .

1 Like

Not sure it is clear to me and I follow which Elasticsearch versions are affected and which are not.

Search on your host which version are used by Elasticsearch mine is log4j-api-2.11.1.jar what are locate to : /usr/share/Elasticsearch/lib/log4j-api-2.11.1.jar

You can add this : -Dlog4j2.formatMsgNoLookups=true

At the end of /etc/Elasticsearch/jvm.options file, for waiting update to 2.15.0 of log4j2

3 Likes

Is it not enough to add log4j.formatMsgNoLookup = true in /etc/elasticsearch/log4j2.properties?

Has anyone from Elastic confirmed these methods?

Just an FYI; bump log4j version to 2.15.0 by jsvd · Pull Request #13494 · elastic/logstash (github.com) was just merged, so looks like logstash 7.16.1 will contain the new fixed version.

3 Likes

Please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31.

We will be making more announcements as details become clearer.

2 Likes

@hocho where have you seen that this can be specified in log4j2.properties? I don't think it can, it must be a system property specified on the jvm command line e.g. in jvm.options as -Dlog4j2.formatMsgNoLookups=true.

k: [xxxx.xxx-oob] => {

"response.stdout_lines": [

    "/opt/xxx/xxx/elasticsearch7_2.0.6-es7.9.3_1/data/config/log4j2.properties",

    "/opt/xxx/xxx/elasticsearch_1.1.55.2-es5.6.8-2_0/data/config/log4j2.properties"

]

Do i need to be worried with these versions of Elasticsearch?

Thanks

As per Solutions and Mitigations for Logstash on Elastic security announcement - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 , suggests removing JndiLookup class from log4J-core-2* .

Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 or 7.16.1 once they are released (expected Monday 13th December). These releases will replace vulnerable versions of Log4j with Log4j 2.15.0.

The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect. It is therefore necessary to remove the JndiLookup class from the log4j2 core jar, with the following command:

zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class

Please note that a restart of the Logstash process is necessary for the change to take effect.

Does it apply to Logstash running on JDK 8u302 with JVM argument, "-Dlog4j2.formatMsgNoLookups=true" without updating log4j-core v2.15 ? This blog Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec says -

JDK versions greater than 6u211 , 7u201 , 8u191 , and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

As per announcement ,
Logstash
Exposure to remote code execution on JDKs prior to 8u191. On newer versions of JDKs there is exposure to Denial of Service and information leakage. Requires JndiLookup class removal or update to Logstash version 6.8.21 or 7.16.1 when released on December 13th. Additional details below.

Is this means we do not need to update to new versions(6.8.21,7.16.1) if we can update java version and removal of JndiLookup class?
I am asking this as we are using ES 5.5.0 with Logstash5.50. If we need to update the logstash to newer version we need to update ES to 6.x.x. And our ES cluster is in TBs.

With respect to "Incomplete fix for Apache Log4j vulnerability" @ Incomplete fix for Apache Log4j vulnerability · CVE-2021-45046 · GitHub Advisory Database · GitHub

Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )
Q2) As per info "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" . What is the recommendation to mitigate this DoS attack?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.