Log4j security vulnerability for logstash 6.2.2

Hi,

I'm using an older version of Logstash (6.2.2) and I cannot migrate it just yet. In the meantime, I read that to remediate the log4j issue, we should be removing the jndi class as noted in Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 where I should use instructions here Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation

I've done all that, but the Wiz security tool that I'm using is picking up packages like

/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.8/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar

which wasn't noted in the instructions. Is this still going to pose an issue? What about the maven dependencies like /root/.m2/repository/log4j-core-2.6.2.jar? Would I be able to simply remove these maven dependencies?

Any advice is much appreciated, thank you in advanced for your time and let me know if there are additional information that would be helpful

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.