Removal of packages from the tar file due to vulnerability (log4j)

Vijeya_Nidhi · December 8, 2023, 2:26pm

So we are deploying elasticsearch using docker file.

it is the same steps followed in the official docker file linked below.

elastic/dockerfiles/blob/8.11/elasticsearch/Dockerfile

################################################################################
# This Dockerfile was generated from the template at distribution/src/docker/Dockerfile
#
# Beginning of multi stage Dockerfile
################################################################################

################################################################################
# Build stage 1 `builder`:
# Extract Elasticsearch artifact
################################################################################

FROM ubuntu:20.04 AS builder

# Install required packages to extract the Elasticsearch distribution

RUN for iter in 1 2 3 4 5 6 7 8 9 10; do \
      apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl  && \
      exit_code=0 && break || \
        exit_code=$? && echo "apt-get error: retry $iter in 10s" && sleep 10; \
    done; \

This file has been truncated. show original

We are trying to do a Version upgrade from 8.2.0 to 8.11.2

The problem is that the scans reveal that log4j-api and log4j-core packages are packaged in the image with version less than 2.15.0 (the infamous log4j vulnerability) coming in via this package https://github.com/elastic/apm-agent-java/blob/main/pom.xml#L128 (apm-agent-java)

Our company has a guideline of not allowing any log4j package less than 2.15.0 even if it has some workaround done to prevent the vulnerability from being exploited.

So question here,

Will removal of the apm-agent-java cause any errors during the runtime of the elasticsearch ?

The removal here means manually removing the elastic-apm-agent-1.43.0.jar jar file from /usr/share/elasticsearch/modules/apm/ path

Vijeya_Nidhi · December 8, 2023, 2:27pm

I can see the following issue Elasticsearch latest versions still packaged with vulnerable log4j 2.12.4 package · Issue #93746 · elastic/elasticsearch · GitHub, which means that the elastic-apm-agent file was introduced into the tar file from 8.6.1 onwards.

DavidTurner · December 8, 2023, 5:04pm

Which Log4J vulnerability exactly do you mean? The file you link references Log4J 2.12.4 which was a security-fix release. Are you sure that it's vulnerable?

Modifying the package in any way is not supported. It may work, or it may only appear to work but silently lose some of your data.

Vijeya_Nidhi · December 8, 2023, 6:40pm

Are you sure that it's vulnerable?

You are correct this version is not vulnerable, I did not check the security fixes done for the java 7 versions

It may work, or it may only appear to work but silently lose some of your data.

This is the data from the apm-agent-java side or the actual data we might store in elasticsearch?

DavidTurner · December 8, 2023, 6:52pm

To answer this question would take much more analysis than it deserves. If you modify the package in any way you're no longer using a supported or tested configuration, so all bets are off.

Vijeya_Nidhi · December 8, 2023, 7:02pm

Got it.
Thanks for all the information.

system · January 5, 2024, 7:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.