Zero-day-exploit in log4j2 which is part of elasticsearch

On a somewhat related note - you should also make sure that this command indeed removes JndiLookup.class from the jar.

In my case, when testing it, that didn't happen - glob expansion didn't work correctly with zip, so I needed to specify full path to log4j jar.

Here is a temporary workaround I'm using (from Dockerfile):

RUN find /opt/logstash/ -name "*log4j*core*.jar" 2>&1
RUN jar tf /opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar | grep -i jndi
RUN jar tf /opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-test-0.2.0/vendor/bundle/jruby/2.5.0/gems/logstash-core-5.6.4-java/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar | grep -i jndi
RUN zip -q -d /opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
RUN zip -q -d /opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-test-0.2.0/vendor/bundle/jruby/2.5.0/gems/logstash-core-5.6.4-java/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
RUN jar tf /opt/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar | grep -i jndi
RUN jar tf /opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-test-0.2.0/vendor/bundle/jruby/2.5.0/gems/logstash-core-5.6.4-java/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar | grep -i jndi

In my case, I also verify that Jndi class has been correctly removed by grepping the jar contents before and after and I also removed that class from log4j.jar which comes bundled with a plugin.

3 Likes