Log4j security vulnerability and plugins which bundle / vendor dependencies

This is addressed in the ESA-2021-31 security announcement.

More details:

  • Most plugins rely on log4j-api, which allows the plugins to use log4j provided by the application without providing their own. The log4j-api is not vulnerable to the CVE.
  • 7.16.1 and 6.8.21 provide log4j-core 2.15, and also both still include an old, unreachable log4j-core in one of their bundled plugins (TCP input).
  • The jar is unreachable (and therefore not exploitable) because of how plugins are loaded in Logstash, but removing its JNDI lookup class is a safe mechanism to add peace of mind
  • updated versions of the TCP Input have been released to rely only on log4j-api and will be included in any subsequent patch releases.
1 Like