CVE-2021-44228 not using XPack, does exposure change?

falcon404 · December 15, 2021, 4:59pm

Hi,
We are running Elasticsearch and not enabling / installing X-Pack for reasons.

With regard to the log4j2 vulnerability CVE-2021-44228, there has been mention of setting property or upgrading to a later version (I believe this was 7.8+ now on Java 9 or higher, but its not vital to my question)

My question is if we do not run X-Pack, are we still vulnerable?

When setting the JVM property, is the fix affected by presence of X-Pack?
When upgrading to 7.8+ is the fix dependent on the presence of X-Pack?

Follow up question:
We run most of our nodes in "single-node" mode, not cluster.

Elasticsearch.yml
discovery.type: single-node

Single node mode to my understanding already skips startup checks and is different in some ways from running it in "production / cluster mode"

Does this affect the proposed vulnerability fix at all?

TimV · December 16, 2021, 1:18am

Nothing in the security announcement for this issue is specific to which plugins you have installed or the number of nodes in your cluster.

You should follow the recommendations in that announcement.

system · January 13, 2022, 1:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable? Elasticsearch	10	6644	February 7, 2022
Log4j on Elasticsearch 7.9.2 Elasticsearch	9	3344	February 14, 2022
Log4j Vulnerability Elasticsearch 7.8.0 Elasticsearch	8	768	July 4, 2023
Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2? Elasticsearch	2	1269	January 17, 2022
Is Elasticsearch affected by CVE-2021-45046 - a second vulnerability in log4j? Elasticsearch	2	5953	January 12, 2022

CVE-2021-44228 not using XPack, does exposure change?

Related topics