FS Crawler 2.4 on Apache Log4j2 Remote Code Execution (RCE) Vulnerability

joseph-l.amalraj · December 13, 2021, 12:43pm

Hi David, recently we have received about Apache Log4j2 Remote Code Execution (RCE) Vulnerability.

I am using FS Crawler 2.4 version along with ELK 6.8.14, we planned to do remediation plan for log4j in ELK. We would like to know, if we need to what steps we need to do remediation plan for log4j in FS Crawler.

Please share your suggestions.
Thanks in advance,
Joseph

Gianluigi_Sellitto · December 13, 2021, 1:09pm

Interested ... Any remediation at this time?

dadoonet · December 13, 2021, 3:05pm

I will work on a new version soonish.

In the meantime, I recommend changing the shell script which starts FSCrawler.

For version 2.4, and for unix users, I'd add line 44 of bin/fscrawler, the following lines:

JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

For version 2.4, and for windows users, I'd add line 27 of bin\fscrawler.bat:

set JAVA_OPTS=%JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true

And restart FSCrawler.

This applies as well to FSCrawler 2.7 but the line number is different 45 for Unix and 33 for Windows.

joseph-l.amalraj · December 13, 2021, 3:35pm

Thanks a lot David.

dadoonet · December 14, 2021, 6:32am

FYI FSCrawler 2.8 has been released.

joseph-l.amalraj · December 14, 2021, 6:06pm

Hi David, One more doubt on this.

Could you please share your comments/suggestions.

Actually FS Crawler 2.4 is using Log4J 2.8.1 version.

As per our security team says 'JAVA_OPTS="$JAVA_OPTS
-Dlog4j2.formatMsgNoLookups=true"' not valid/applicable for the Log4J versions with version less than V 2.10.

Thank You,
Joseph

dadoonet · December 14, 2021, 6:53pm

Ha right!

So I guess you need to do this:

For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

joseph-l.amalraj · December 15, 2021, 3:27pm

Thank You David.

joseph-l.amalraj · January 6, 2022, 8:02am

Hi David,
Now, we have LOG4J 2.17.
Could You please suggest, if we need to use this version into FS Crawler 2.4 Version, what action we need to take in our end.

Thanks.

joseph-l.amalraj · January 7, 2022, 8:55am

Hi David, Could You please share your suggestion for my above Query.

Thank You,
Joseph

dadoonet · January 10, 2022, 2:51pm

I have no idea. May be try to upgrade manually the dependencies of this version and rebuild a new release?

joseph-l.amalraj · January 10, 2022, 5:27pm

Ok Thanks David.

dadoonet · January 10, 2022, 7:33pm

FYI I just released FSCrawler 2.9

joseph-l.amalraj · January 28, 2022, 5:16pm

Sure.. Thanks David. I have downloaded FS Crawler 2.9 to use with ELK 7.16.

joseph-l.amalraj · January 28, 2022, 5:19pm

Hi David, Could You please share your comments..
One more query like while installing FS Crawler 2.9, Can we update the log4j--2.17.2 in the lib folder as we get latest of log4j?.
Currently, log4j--2.17.1 bundled with FS Crawler 2.9.
Thanks,
Joseph

dadoonet · January 28, 2022, 6:02pm

I guess so. Not sure what are the other dependencies that changed as well if any.

joseph-l.amalraj · January 28, 2022, 6:14pm

Fine, Thanks David. we will check that.

system · February 25, 2022, 6:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 Security Announcements	7	347685	November 4, 2022
Addressing log4j vulnerability for 1.x and 2.x elasticsearch Elasticsearch	2	1529	January 18, 2022
How do I Mitigate LOG4J CVE on Elasticsearch 7.4.0? Elasticsearch	3	613	January 4, 2023
When will the next patch be released for Elasticsearch Elasticsearch	8	1628	January 17, 2022
Does Log4j vulnerability (CVE-2021-44228) is impacted for ES v7.5.2? Elasticsearch	2	1269	January 17, 2022

FS Crawler 2.4 on Apache Log4j2 Remote Code Execution (RCE) Vulnerability

Related topics