Logstash-input-beats and logstash-input-http : log4j-api need upgraded >= 2.8.2 as vulnerability CVE-2017-5645

security

(Caixiangibm) #1

With upgrade logstash to v6.5, the plugin logstash-input-beats to 5.1.6 and logstash-input-http to 3.2.2, but the dependency of log4j-api still at version of "2.6.2", which is addressed in vulnerability CVE-2017-5645, and not match the vulnerability security check requirement.
I had opened 2 PR to beats and http plugin github repos. Would the developers of logstash-input-beats and logstash-input-http check the dependencies and change the version of lo4j-api to 2.8.2 or beyond?

Check in logstash 6.5 -
/usr/share/logstash# find . -name log4j-api*


./vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.1.6-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
./vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.1.6-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar
./vendor/bundle/jruby/2.3.0/gems/logstash-input-http-3.2.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
./vendor/bundle/jruby/2.3.0/gems/logstash-input-http-3.2.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar

I had opened 2 PR to beats and http plugin github repos.



I aslo opened 2 issues to beats and http plugin githup repos.