There are 3 vulnerability issues logged
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
I concluded that elasticsearch won't be affected by CVE-2021-44228 and CVE-2021-45046 but there is no mention of CVE-2021-45105
for logstash, there will be Information Leakage and will be mitigated through script that will solve CVE-2021-44228 and CVE-2021-45046 but again, there is no mention of CVE-2021-45105
My questions
what is the minimum effort needed to mitigate all the 3 vulnerabilities? do we need additional mitigation script or something for elasticsearch and logstash to solve CVE-2021-45105 or we won't need that?
can we upgrade only log4j2 to version 2.17.1 or this is not an option?
The forum post about log4j vulnerabilites that you shared has all the information you need.
It mentions CVE-2021-45105 many times saying that both Logstash and Elasticsearch are not vulnerable to it.
Dec 18, 2021 - 23:40 UTC - Added statement that Elasticsearch, Logstash, and APM Java agent have no known vulnerabilities to CVE-2021-45105
The version you are using reached EOL and it is not supported any more, you need to update to the last version in the version 7 branch which is 7.17.10.
Check the breaking changed between your version and the last one and plan your upgrade.
No, not possible, you cannot upgrade just the log4j library, you need to upgrade the entire tool.
if the upgrade can't be done now, the only option is using the procedure mentioned to remove JndiLookup class to mitigate logstash? elasticsearch already does not have any mitigation procedure needed
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.