Removal of packages from the tar file due to vulnerability (log4j)

So we are deploying elasticsearch using docker file.

it is the same steps followed in the official docker file linked below.

We are trying to do a Version upgrade from 8.2.0 to 8.11.2

The problem is that the scans reveal that log4j-api and log4j-core packages are packaged in the image with version less than 2.15.0 (the infamous log4j vulnerability) coming in via this package (apm-agent-java)

Our company has a guideline of not allowing any log4j package less than 2.15.0 even if it has some workaround done to prevent the vulnerability from being exploited.

So question here,

Will removal of the apm-agent-java cause any errors during the runtime of the elasticsearch ?

The removal here means manually removing the elastic-apm-agent-1.43.0.jar jar file from /usr/share/elasticsearch/modules/apm/ path

I can see the following issue Elasticsearch latest versions still packaged with vulnerable log4j 2.12.4 package · Issue #93746 · elastic/elasticsearch · GitHub, which means that the elastic-apm-agent file was introduced into the tar file from 8.6.1 onwards.

Which Log4J vulnerability exactly do you mean? The file you link references Log4J 2.12.4 which was a security-fix release. Are you sure that it's vulnerable?

Modifying the package in any way is not supported. It may work, or it may only appear to work but silently lose some of your data.

Are you sure that it's vulnerable?

You are correct this version is not vulnerable, I did not check the security fixes done for the java 7 versions

It may work, or it may only appear to work but silently lose some of your data.

This is the data from the apm-agent-java side or the actual data we might store in elasticsearch?

To answer this question would take much more analysis than it deserves. If you modify the package in any way you're no longer using a supported or tested configuration, so all bets are off.

Got it.
Thanks for all the information.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.