As per Solutions and Mitigations for Logstash on Elastic security announcement - Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 , suggests removing JndiLookup class from log4J-core-2* .
Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 or 7.16.1 once they are released (expected Monday 13th December). These releases will replace vulnerable versions of Log4j with Log4j 2.15.0.
The widespread flag -Dlog4j2.formatMsgNoLookups=true
is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect. It is therefore necessary to remove the JndiLookup class from the log4j2 core jar, with the following command:
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Please note that a restart of the Logstash process is necessary for the change to take effect.
Does it apply to Logstash running on JDK 8u302 with JVM argument, "-Dlog4j2.formatMsgNoLookups=true" without updating log4j-core v2.15 ? This blog Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec says -
JDK versions greater than 6u211
, 7u201
, 8u191
, and 11.0.1
are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase
is set to false
meaning JNDI cannot load remote code using LDAP.