Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Note — If you are not running Elasticsearch 5.0.0-5.6.10 or 6.0.0-6.3.2, these instructions do not apply. Please follow the guidance in the main announcement.

Instructions for removing JndiLookup from the log4j-core JAR file​

These instructions only apply to users running Elasticsearch versions between 5.0.0 and 5.6.10 (inclusive) or between 6.0.0 and 6.3.2 (inclusive). These must not be used in other versions of Elasticsearch as there are safer, supported remediations (or no remediation is necessary).

Note: These instructions require making manual changes to files within the Elasticsearch installation. Such changes always carry a degree of risk and Elastic's recommendation is to upgrade to a supported version of Elasticsearch in preference to manual patching.

On Linux or MacOS​

  1. These instructions assume the existence of the zip utility on your operating system. You can confirm that zip is available by entering zip in a terminal window. If the output includes copyright text and a list of options, then the "zip" utility is available. If the output is an error message such as

    • command not found: zip or

    • The program 'zip' can be found in the following packages

    then you need to install the zip utility on your operating system. Please consult your operating system vendor's documentation for installing packages.

  1. These instructions must be executed as a user that has write access to the Elasticsearch lib/ directory (and the files within it). The correct user will depend on how you installed Elasticsearch. If you encounter Permission denied errors during this process, please check that you are logged in as the correct user.

    In some cases you may be required to use the sudo utility to perform a modification to the files. This is typically only necessary if the files are owned by the root user. If the files are owned by a regular user, the use of sudo may result in a change of ownership of those files, leaving them unreadable by the Elasticsearch process.

  1. In a terminal window, change your working directory (cd) to the root directory for your Elasticsearch installation. For installations from zip or tar files, this is the directory where you installed Elasticsearch. For installations from RPM or Debian (.deb) packages, this will be /usr/share/elasticsearch.

  1. Confirm that you are in the correct directory, and that the log4j file exists with:

    ls -l lib/log4j-core-*.jar
    • If the output is a listing for a file, then you are in the correct directory.

    • If there is an error, then one of the following may be true:

      1. you are in the incorrect directory - check that you are in the Elasticsearch home directory

      2. you have a typo in your command - check that you have entered it exactly as above

      3. you are already on an up to date version of Elasticsearch (6.8.21+ or 7.16.1+) that does not contain this vulnerable version of the log4j JAR file - check your Elasticsearch version

  2. Make a backup of the vulnerable log4j JAR file with:

    zip ./backup-log4j.zip lib/log4j-core-*.jar

    This backup file may be useful if you make a mistake in any of the subsequent steps, or experience any problems with the updated JAR file. You can safely delete it once you are confident that your Elasticsearch node is working correctly.

    Note: It is important that you follow the above command as written. Other methods for backing up the jar file risk having it included on the Elasticsearch classpath during execution which may prevent your node from starting correctly.

  1. Remove the vulnerable class from your log4j JAR file with:

    zip -d lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • If the output is deleting: org/apache/logging/log4j/core/lookup/JndiLookup.class, then the command has been successful

    • If the output is zip error: Nothing to do!, it means the class has already been deleted

    • Any other error is an indication of a problem and you should review your steps.

    Note: If running the above command produces a series of lines that look like :

    zip warning: Local Version Needed To Extract does not match CD: org/apache/logging/log4j/core/util/WatchManager$WatchRunnable.class

    this has no effect on the removal of the vulnerable class and can safely be ignored.

  1. Confirm the removal of the vulnerable class with:

    jar tvf lib/log4j-core-*.jar | grep -i JndiLookup
    • If the removal has been successful, there will be no output.

    • If the output includes a listing for an entry in the JAR file, then the removal was not successful. Please review previous steps for any error messages.

    • Any other error is an indication of a problem and you should review your steps.

  1. Restart the Elasticsearch node

  1. Repeat these steps for every Elasticsearch node in your cluster