Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )
Q2) As per "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" extract from ESA-2021-31** . What is the recommendation to mitigate this DoS attack ( considering java is recent version 8u3xx)?
Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )
IFF your config/log4j2.properties was intentionally modified to include JNDI lookups, those lookups would no longer work. I can think of no reason why someone would do this intentionally.
It is safe to remove the JndiLookup class file, which is why it is one of two recommended mitigations
Q2) As per "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" extract from ESA-2021-31** . What is the recommendation to mitigate this DoS attack ( considering java is recent version 8u3xx)?
The recommended mitigations per ESA-2021-31 remain:
[EDIT: updated to reflect guidance in light of the 2021-12-19 releases of Logstash 7.16.2 and 6.8.22]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.