FS Crawler 2.4 on Apache Log4j2 Remote Code Execution (RCE) Vulnerability

Hi David, recently we have received about Apache Log4j2 Remote Code Execution (RCE) Vulnerability.

I am using FS Crawler 2.4 version along with ELK 6.8.14, we planned to do remediation plan for log4j in ELK. We would like to know, if we need to what steps we need to do remediation plan for log4j in FS Crawler.

Please share your suggestions.
Thanks in advance,
Joseph

1 Like

Interested ... Any remediation at this time?

I will work on a new version soonish.

In the meantime, I recommend changing the shell script which starts FSCrawler.

For version 2.4, and for unix users, I'd add line 44 of bin/fscrawler, the following lines:

JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

For version 2.4, and for windows users, I'd add line 27 of bin\fscrawler.bat:

set JAVA_OPTS=%JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true

And restart FSCrawler.

This applies as well to FSCrawler 2.7 but the line number is different 45 for Unix and 33 for Windows.

Thanks a lot David.

FYI FSCrawler 2.8 has been released.

Hi David, One more doubt on this.

Could you please share your comments/suggestions.

Actually FS Crawler 2.4 is using Log4J 2.8.1 version.

As per our security team says 'JAVA_OPTS="$JAVA_OPTS
-Dlog4j2.formatMsgNoLookups=true"' not valid/applicable for the Log4J versions with version less than V 2.10.

Thank You,
Joseph

Ha right!

So I guess you need to do this:

For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Thank You David.

Hi David,
Now, we have LOG4J 2.17.
Could You please suggest, if we need to use this version into FS Crawler 2.4 Version, what action we need to take in our end.

Thanks.

Hi David, Could You please share your suggestion for my above Query.

Thank You,
Joseph

I have no idea. May be try to upgrade manually the dependencies of this version and rebuild a new release?

Ok Thanks David.

FYI I just released FSCrawler 2.9

Sure.. Thanks David. I have downloaded FS Crawler 2.9 to use with ELK 7.16.

Hi David, Could You please share your comments..
One more query like while installing FS Crawler 2.9, Can we update the log4j--2.17.2 in the lib folder as we get latest of log4j?.
Currently, log4j-
-2.17.1 bundled with FS Crawler 2.9.
Thanks,
Joseph

I guess so. Not sure what are the other dependencies that changed as well if any.

Fine, Thanks David. we will check that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.