Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable?

Vashiru · December 29, 2021, 12:08am

As the title states, is Elasticsearch vulnerable for the new Log4j vulnerability CVE-2021-44832? This is a new vulnerability of which the details were released a few hours ago. Or is this prevented by the security manager?

Chiranjiv_Choudhary · December 29, 2021, 3:30pm

Is there any update on [Log4j CVE-2021-44832] from Elasticsearch yet ?

jeansalama · December 31, 2021, 5:15pm

You may find your answer here ([7.16] Upgrade to log4j 2.17.1 (#82111) by costin · Pull Request #82115 · elastic/elasticsearch · GitHub), it would be available with ES 7.16.3

Vashiru · January 1, 2022, 11:17am

I saw that, but it doesn't really answer my question. I mean yes it's been updated, that could be for other reasons as well. It doesn't say anything about whether Elasticsearch is vulnerable or not.

Ram_N · January 3, 2022, 4:53am

Im also in need of a clarification from Elasticsearch. Is ELK is vulnerable to this CVE?
Can someone please clarify?

Ayush_Mathur · January 3, 2022, 2:11pm

No, ES versions 6.8.9+ and 7.8+ are not affected by this as stated in community post:

Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager. Most other versions (5.6.11+, 6.4.0+ and 7.0.0+) can be protected via a simple JVM property change. The information leak vulnerability does not permit access to data within the Elasticsearch cluster. We have released Elasticsearch 7.16.1 and 6.8.21 which contain the JVM property by default and remove certain components of Log4j out of an abundance of caution. This is applicable to both CVE-2021-44228 and CVE-2021-45046. Elasticsearch has no known vulnerabilities to CVE-2021-45105.

On December 19th we released 7.16.2 and 6.8.22 which include the most recent version of Log4j (2.17.0).

The full post can be found here: Apache Log4j2 Remote Code Execution (RCE) Vulnerability

Vashiru · January 3, 2022, 2:33pm

That post unfortunately doesn't list the new CVE mentioned in this topic. It addresses all previous 3, but not this new 4th one.

Neil_A_Chikode · January 5, 2022, 8:38pm

When will Elastic 7.16.3 with Log4j 2.17.1 be released?

Ayush_Mathur · January 7, 2022, 5:16pm

As mentioned in the same link I provided earlier, 7.16.3 is targeted for 13th Jan.

Apache Log4j2 Vulnerability - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 - ESA-2021-31

jeansalama · January 10, 2022, 9:04pm

They said that there is no known vulnerabilities :

By default, Elasticsearch and Logstash have no known vulnerabilities to this as relevant configuration files are only writable by cluster administrators. We will release 7.16.3 and 6.8.23 to update Log4j to 2.17.1, targeting Jan 13.

system · February 7, 2022, 9:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.