-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RCE 0-day exploit found in log4j, a popular Java logging package #81618
Comments
This can be mitigated for the time being by adding |
Pinging @elastic/es-security (Team:Security) |
Thank you for your report. Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co. We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled. |
For users installing from packages and having
|
FWIW, not every version of ElasticSearch uses a Log4j version which has the |
The 0-day exploit will provide you remote shell access to the system that runs Elasticsearch. I don't think that this including the closed issue should be a sufficient response from Elastic. There is also no information in the forum and we also have not received any proactive info's or guidelines via our support contract. I think Elastic should take that problem more serious. Every other security measure (TLS, RBAC etc.) has been made obsolete and even Meanwhile we have added |
…ckage elastic/elasticsearch#81618 Signed-off-by: Prajakta Purohit <prajakta@chef.io>
Curious what suggested solutions there may be for older versions that aren't packaged with |
Hi @khou You can remove the class completely for older versions that aren't packaged with log4j 2.10+
|
@chhetripradeep Thanks for this advice~ Do we need to restart es process after remove this class? |
@rockybean Yes i would recommend restarting ES after that. Also I would say you should validate that it has removed the class
|
Elastic has meanwhile provided detailed information about the impact for their products. That gave us important additional info's for Logstash and we are able to update our Docker images and roll them out asap. Thank you for investigating that problem even on the weekend. |
The official forum post says that ES is not vulnerable: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
However there are claims that elastic is vulnerable: https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md Are you certain ES is not affected? |
How can this be mitigated within Docker containers? |
@businessbean Sure that you're setting the correct option? The namespace seems to be |
We have added |
Thanks for the hint. It must be |
The log4j PR uses |
The current valid syntax seems to be |
Thanks for the clarification! |
I have added the option and restarted the service, but could see it in parameters in elasticsearch.
Could any help me on this |
This is indeed very concerning. Many 3rd party products rely on the official statement of ES team. If it states that "Elasticsearch is not susceptible to remote code execution", then they will not trigger any urgent upgrades. Therefore I want to repeat the previous question: Are you certain ES is not affected? |
|
* Update to version 7.16.0 * Addresses log4j vulnerability CVE-2021-44228 * See elastic/elasticsearch#81618 (comment)
@xeraa By default Elasticsearch is only accessible from localhost. Would you still recommend setting this Java option if one has not changed this state? If Elasticsearch is not accessible from the outside, then this vulnerability should not be a problem at all. |
As I understand it if your public available application uses the elastic search instance and produces a log in elastic search it can leak environment variables outside by dns lookups ( Edit: I am not part of this project, this is just my humble understanding. |
@aaad Thank you. We'll do that. |
@vikramnr At least on Ubuntu there seems no include for
|
@krauthosting Yes, that's correct. For older 7.x version, elastic is still referring to |
According to the documentation, where you put options for ES determines where this options file/directory exists. But ultimately @vikramnr is right, I'd also verify using |
* Update to version 7.16.0 * Addresses log4j vulnerability CVE-2021-44228 * See elastic/elasticsearch#81618 (comment)
It's a closed issue and we don't publicly comment on security incidents. But to clear up any confusion for validation of JVM options and since this thread will get a lot of hits: |
The metricbeat module for Elasticsearch should be extended to gather that information. That would enable watchers that alert if the JVM settings are not correct. FYI @richardgilm |
@chendo @businessbean This JVM option seems not to mitigate the new follow up DoS vulnerability: |
@krauthosting https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 has been updated for that (guidance is unchanged) @businessbean I feel like this should be a discussion for discuss.elastic.co (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html would IMO be the better tool here, happy to discuss on Discuss). |
Yes, that is possible but than every customer has to take care of that individually and also it will be not guaranteed that everybody will do the ECS config correct. In general i think that the Elastic monitoring tools should support all Elastic stack features out of the box. Otherwise people will look for alternatives like Prometheus. |
From this link, seems like we still have a problem, isn't it? |
There is now an update available, which among other things also brings the latest Log4J version with it. See: |
Both 7.16.1 and 7.16.2 work against all of the currently known Log4j security issue. This "follow-up issue" doesn't apply to Elasticsearch because the precondition is:
This must be how the application uses the logger and only then can an attacker exploit it through a malicious input. Elasticsearch doesn't use it in that way, so it doesn't apply. |
And what about 7.16.0 with the |
The mitigations from the security advisory as well — also explicitly mentioned there :) |
the RCE affected the elastic
https://www.lunasec.io/docs/blog/log4j-zero-day/
The text was updated successfully, but these errors were encountered: