Hi Team,
In the wake of recent log4j vulnerability, we have update our production stack to version 7.16.3.
Post upgrade, under /usr/share/Elasticsearch/lib/ the log4j-core is of version 2.17.1.
However in /etc/elasticsearc/lib/ the log4j-core and log4j-api jars are still of version 2.11.1.
This is flagged by our Security Team and needs to be fixed. I do not see in the Elastic Announcements as to which of the log4j jar files are supposed to be updated to 2.17.1.
[root@jcpvirtualserver-new logstash]# find / -name 'log4j*'
/etc/logstash/log4j2.properties
/etc/elasticsearch/log4j2.properties
/etc/elasticsearch/modules/x-pack-identity-provider/log4j-slf4j-impl-2.11.1.jar
/etc/elasticsearch/modules/x-pack-security/log4j-slf4j-impl-2.11.1.jar
/etc/elasticsearch/modules/x-pack-core/log4j-1.2-api-2.11.1.jar
**/etc/elasticsearch/lib/log4j-api-2.11.1.jar**
**/etc/elasticsearch/lib/log4j-core-2.11.1.jar**
/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.17.1.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-1.2-api-2.17.1.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.17.1.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.17.1.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-jcl-2.17.1.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.4.2/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.4.2/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.4.2/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jruby-jms-1.3.0-java/test/log4j.properties
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.14-java/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.14-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.2.4-java/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.2.4-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.4.4-java/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.4.4-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/elasticsearch/modules/x-pack-identity-provider/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/modules/x-pack-security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/modules/x-pack-core/log4j-1.2-api-2.17.1.jar
/usr/share/elasticsearch/modules/repository-url/log4j-1.2-api-2.17.1.jar
/usr/share/elasticsearch/modules/vector-tile/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
Any advice on how to fix the vulnerability?
Regards,
Pavan