CVE-2021-45046 : Incomplete fix for Apache Log4j vulnerability

With respect to "Incomplete fix for Apache Log4j vulnerability" @ Incomplete fix for Apache Log4j vulnerability · CVE-2021-45046 · GitHub Advisory Database · GitHub
I have two questions:

Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )
Q2) As per "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" extract from ESA-2021-31 ** . What is the recommendation to mitigate this DoS attack ( considering java is recent version 8u3xx)?

2 Likes

Q1) is JndiLookup class removal break any functionality of Logstash? ( in other words is it safe to remove JndiLookup class file? )

IFF your config/log4j2.properties was intentionally modified to include JNDI lookups, those lookups would no longer work. I can think of no reason why someone would do this intentionally.

It is safe to remove the JndiLookup class file, which is why it is one of two recommended mitigations


Q2) As per "On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage" extract from ESA-2021-31 ** . What is the recommendation to mitigate this DoS attack ( considering java is recent version 8u3xx)?

The recommended mitigations per ESA-2021-31 remain:

[EDIT: updated to reflect guidance in light of the 2021-12-19 releases of Logstash 7.16.2 and 6.8.22]

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.