Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump elasticsearch to avoid log4j vulnerability #1040

Closed
JPBergsma opened this issue Jan 6, 2022 · 2 comments · Fixed by #1041
Closed

Bump elasticsearch to avoid log4j vulnerability #1040

JPBergsma opened this issue Jan 6, 2022 · 2 comments · Fixed by #1041
Labels
security Pull requests that address a security vulnerability transformer/Elasticsearch Related to filter transformer for Elasticsearch

Comments

@JPBergsma
Copy link
Contributor

Elastic search seems to use log4j internally. (I found it with the tool log4j-sniffer )
I am not sure how bad this is for us, as the users do not interface directly with elastic search.
With version 7.16.2 this has been fixed.
So I suggest we update the dependency version for elastic search to 7.16.2 just in case.
I also think we currently still require a version below version 7 which blocks users from upgrading to the patched version of elastic search.
@JPBergsma JPBergsma added priority/high Issue or PR with a consensus of high priority transformer/Elasticsearch Related to filter transformer for Elasticsearch security Pull requests that address a security vulnerability labels Jan 6, 2022
@JPBergsma
Copy link
Contributor Author

JPBergsma commented Jan 6, 2022
edited

I have checked a bit further and it seems log4j was only included when I installed it via the software manager of linux mint.
After removing this I did not find it in the miniconda enviroment I use for the optimade python tools.
I just ran the test with OPTIMADE_DATABASE_BACKEND="elastic" and they passed. So it seems we are good after all.

@JPBergsma JPBergsma removed the priority/high Issue or PR with a consensus of high priority label Jan 6, 2022
@JPBergsma JPBergsma changed the title Elastic search vulnerability Elastic search log4j vulnerability Jan 6, 2022
@ml-evs
Copy link
Member

ml-evs commented Jan 6, 2022

The Python elasticsearch_dsl just wraps the elastic query language in Python classes; the vulnerability affects the elasticsearch server itself. which we pull in our CI and have minor instructions for in our installation instructions via docker. You can see the affected elastic docker image versions here: https://hub.docker.com/_/elasticsearch

We could consider just bumping the version in our docs and CI.

@ml-evs ml-evs reopened this Jan 6, 2022
@ml-evs ml-evs mentioned this issue Jan 6, 2022
Merged
@ml-evs ml-evs changed the title Elastic search log4j vulnerability Bump elasticsearch to avoid log4j vulnerability Feb 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability transformer/Elasticsearch Related to filter transformer for Elasticsearch
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump elasticsearch image version to avoid any log4j issues Materials-Consortia/optimade-python-tools
2 participants
@ml-evs @JPBergsma