Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable?

As the title states, is Elasticsearch vulnerable for the new Log4j vulnerability CVE-2021-44832? This is a new vulnerability of which the details were released a few hours ago. Or is this prevented by the security manager?

7 Likes

Is there any update on [Log4j CVE-2021-44832] from Elasticsearch yet ?

1 Like

You may find your answer here ([7.16] Upgrade to log4j 2.17.1 (#82111) by costin · Pull Request #82115 · elastic/elasticsearch · GitHub), it would be available with ES 7.16.3

I saw that, but it doesn't really answer my question. I mean yes it's been updated, that could be for other reasons as well. It doesn't say anything about whether Elasticsearch is vulnerable or not.

Im also in need of a clarification from Elasticsearch. Is ELK is vulnerable to this CVE?
Can someone please clarify?

No, ES versions 6.8.9+ and 7.8+ are not affected by this as stated in community post:

Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager. Most other versions (5.6.11+, 6.4.0+ and 7.0.0+) can be protected via a simple JVM property change. The information leak vulnerability does not permit access to data within the Elasticsearch cluster. We have released Elasticsearch 7.16.1 and 6.8.21 which contain the JVM property by default and remove certain components of Log4j out of an abundance of caution. This is applicable to both CVE-2021-44228 and CVE-2021-45046. Elasticsearch has no known vulnerabilities to CVE-2021-45105.

On December 19th we released 7.16.2 and 6.8.22 which include the most recent version of Log4j (2.17.0).

The full post can be found here: Apache Log4j2 Remote Code Execution (RCE) Vulnerability

1 Like

That post unfortunately doesn't list the new CVE mentioned in this topic. It addresses all previous 3, but not this new 4th one.

7 Likes

When will Elastic 7.16.3 with Log4j 2.17.1 be released?

2 Likes

As mentioned in the same link I provided earlier, 7.16.3 is targeted for 13th Jan.

Apache Log4j2 Vulnerability - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 - ESA-2021-31

1 Like

They said that there is no known vulnerabilities :

By default, Elasticsearch and Logstash have no known vulnerabilities to this as relevant configuration files are only writable by cluster administrators. We will release 7.16.3 and 6.8.23 to update Log4j to 2.17.1, targeting Jan 13.