Logstash using vulnerable JDK

Hi,

The latest logstash (7.14.0) is using a vulnerable jdk, and we've got number of security issues because of that. Below is the version of logstash and the jdk used by it.

Any update on when will this be resolved? and if any steps which can be used to upgrade the vulnerable jdk shipped with logstash.

Below are the CVE issues reported on this version of jdk. CVE-2021-2341,CVE-2021-2388,CVE-2021-2432,CVE-2021-2369

/usr/share/logstash/jdk/bin/java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode)

** /usr/share/logstash/bin/logstash -V**
Using JAVA_HOME defined java: /usr/lib/jvm/java-11-openjdk-amd64
WARNING, using JAVA_HOME while Logstash distribution comes with a bundled JDK
logstash 7.14.0

You can use another JDK where those CVE are fixed until a new release with a new bundled jdk is available.

Just set the JAVA_HOME variable.

tried, even after installing separate java and setting java_home, logstash still refers to its own jdk

av@dev-elasticsearch-west:~$ echo $JAVA_HOME
/usr/lib/jvm/java-11-openjdk-amd64

av@dev-elasticsearch-west:~$ sudo service logstash restart

av@dev-elasticsearch-west:~$ sudo service logstash status
logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2021-08-27 07:01:36 UTC; 6s ago
Main PID: 14805 (java)
Tasks: 15 (limit: 4915)
Memory: 309.8M
CGroup: /system.slice/logstash.service
└─14805 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -

Aug 27 07:01:36 dev-elasticsearch-west systemd[1]: Started logstash.
Aug 27 07:01:36 dev-elasticsearch-west logstash[14805]: Using bundled JDK: /usr/share/logstash/jdk
Aug 27 07:01:36 dev-elasticsearch-west logstash[14805]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release

You need to set the jAVA_HOME variable for the logstash user, which is named logstash when installed using a package manager.

You can put it in the /etc/sysconfig/logstash file:

JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64

Logstash will read environment variables from this file when starting.

Thanks Leandro, but I don't see the mentioned logstash file in my system. I had installed logstash using the below commands as specified here Installing Logstash | Logstash Reference [7.14] | Elastic

Am I missing anything?

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install logstash

In Debian based systems the file that you should edit or create if it not exists is named /etc/default/logstash.

You can also directly edit the systemd service and add the line:

Environment=JAVA_HOME=/path/to/your/java/home

Thanks, this worked.