Log4j on Elasticsearch 7.9.2

h4h3hj · December 16, 2021, 7:32am

Hi Everyone,

As we know the vulnerability (CVE-2021-44228) impacts multiple versions of the Apache Log4j2

I can see Elastic has updated about this
Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager. Most other versions (5.6.11+, 6.4.0+ and 7.0.0+) can be protected via a simple JVM property change. The information leak vulnerability does not permit access to data within the Elasticsearch cluster. We have released Elasticsearch 7.16.1 and 6.8.21 which contain the JVM property by default and remove certain components of Log4j out of an abundance of caution.

Currently, I'm having Elasticsearch version 7.9.2 on production server, but I found a lot of packages log4j 2.11.1.jar under elastic (the impact version between 2.0 and 2.14.1)

So, should I worry about it? and consider an upgrade to higher elastic version, i.e 7.16?
or can I safely ignore those ones?

warkolm · December 20, 2021, 12:08am

Welcome to our community!

You should definitely upgrade as a matter of general maintenance. However we will be releasing a new version with upgraded packages very soon.

h4h3hj · December 20, 2021, 2:35am

Thank you very much,
so, should I wait for the new version to be released, or which version can I upgrade to for now?

warkolm · December 20, 2021, 2:38am

Upgrading to 7.16.2 will also upgrade the log4j package to the latest without the flaw(s).

h4h3hj · December 20, 2021, 3:04am

Thank you very much, I really appreciate it

h4klm · January 16, 2022, 10:31pm

Hello Guys currently log4j version 2.11 both core and api
what about remove those jars and replace them with
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/
and restart Elasticsearch service it's working but i don't know if this will fix the vulnerability or even worth impact the data could you please advice

TimV · January 17, 2022, 2:21am

We do not recommend replacing jar files within an existing Elasticsearch install.

Please set Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack for advice on how to address this issue.

h4klm · January 17, 2022, 12:07pm

upgrading live system not recommended on my cause right now can i apply this replacement jars till we manage the upgrade plan what do you think

TimV · January 17, 2022, 12:33pm

My answer is the same as last time you asked.

We do not recommend replacing jar files within an existing Elasticsearch install.

Please follow the official advice on how to address this issue.

system · February 14, 2022, 12:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.