Hi,
I am using the below ELK stack versions. Might be old version. I would like to know whether these versions of ELK are vulnerable due to the log4j2 issue.
Elasticsearch-2.3.3
logstash-2.3.1
kibana-4.5.1
I couldn't find any proper solution for the above mentioned versions. If this is vulnerable how can I mitigate.
see the log4j version if it is less than 2.15 then yes you have to replace it
I did replace the 2.16 jar to location but it keeps pointing to old one so I renamed new jar with old name so Its working fine
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Thanks mangeshs. I understand. But is this possible to do the same for the below ELK versions?
( Elasticsearch-2.3.3
logstash-2.3.1
kibana-4.5.1)
For the custom apps , I have mitigated by setting the system property formatmsglookups to true.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.