Log4j2 vulnerability mitigation

Hello all,

I was checking the actions needed from our side in the ELK cluster to mitigate the Log4j2 vulnerability found in Dec 2021. we are using 7.9.2 for all ELK components. After investigating and checking the below links:
Introducing 7.16.2 and 6.8.22 releases of Elasticsearch and Logstash to upgrade Apache Log4j2

Apache Log4j2 Remote Code Execution (RCE) Vulnerability

Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation

There are 3 vulnerability issues logged

I concluded that elasticsearch won't be affected by CVE-2021-44228 and CVE-2021-45046 but there is no mention of CVE-2021-45105

for logstash, there will be Information Leakage and will be mitigated through script that will solve CVE-2021-44228 and CVE-2021-45046 but again, there is no mention of CVE-2021-45105

My questions

  1. what is the minimum effort needed to mitigate all the 3 vulnerabilities? do we need additional mitigation script or something for elasticsearch and logstash to solve CVE-2021-45105 or we won't need that?

  2. can we upgrade only log4j2 to version 2.17.1 or this is not an option?


The forum post about log4j vulnerabilites that you shared has all the information you need.

It mentions CVE-2021-45105 many times saying that both Logstash and Elasticsearch are not vulnerable to it.

Dec 18, 2021 - 23:40 UTC - Added statement that Elasticsearch, Logstash, and APM Java agent have no known vulnerabilities to CVE-2021-45105

The version you are using reached EOL and it is not supported any more, you need to update to the last version in the version 7 branch which is 7.17.10.

Check the breaking changed between your version and the last one and plan your upgrade.

No, not possible, you cannot upgrade just the log4j library, you need to upgrade the entire tool.

Thanks @leandrojmp

for the EOL issue, I am using 7.9.2, not 5.0.0. This version also reached EOL?

Yes, from the version 7 branch, only 7.17.X is still maintained and supported.

You should upgrade to 7.17.10 and after that plan an upgrade to 8.8.

Thanks @leandrojmp

just last question

if the upgrade can't be done now, the only option is using the procedure mentioned to remove JndiLookup class to mitigate logstash? elasticsearch already does not have any mitigation procedure needed

Everything related to Log4j and any Elastic Tool is already answered in the second link you shared.

If you can't upgrade the only option is to use the procedure indicated on that link.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.