-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logstash is vulnerable due to log4j CVE-2021-44228 #13501
Comments
log4j seems to have been updated in all branches, so just waiting for release of patch version. |
@davidferdinand thanks for reply. We.ll be waiting for binaries/Docker image rollout. |
Will this be released soon? |
The patch releases are in-flight, and documentation about the CVE, how it affects Logstash, and how to mitigate it are available here: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 |
Thanks! |
Question: |
There are also no details on the "information leakage" on JDKs above 8u191 and 11.0.1 |
@yaauie , I can see that |
https://www.docker.elastic.co/r/logstash seems to have it already but not yet found on Docker Hub. |
Docker images are available in Elastic's registry:
|
@jsvd will they be released to DockerHub soon though? A lot of people use that as their image source. |
Also please remember to update https://github.com/elastic/dockerfiles EDIT: |
I can see that 6.8.21 has been released but I'm getting a 404 on the download page: https://www.elastic.co/downloads/past-releases/logstash-6-8-21 am I just being impatient and it'll be up soon or has something gone wrong with the release? |
The release is still happening, so you may find inconsistencies throughout the day, thanks for everyone's patience.. The dockerhub images may take longer to be available, as they also depend on external acceptance/validation. |
Is there anything planned for v6.6.x or can we simply update the log4j dependency as per the 6.8.21 fix? |
6.8 is our maintenance branch for the 6.x major series and should be a safe upgrade from any point in the 6.x series -- while the mitigations in our CVE notice and/or manual application of related patches are likely to work from a technical standpoint, we have not validated their effectiveness on branches that are past their End of Life. |
6.8.21 is available now: https://artifacts.elastic.co/downloads/logstash/logstash-6.8.21.tar.gz |
Per this post, it says affected versions are:
Does that mean 6.6.2 would not be affected by this vulnerability? I'm using the official image Thanks |
Logstash 7.16.1 version is available in docker hub - https://hub.docker.com/layers/logstash/library/logstash/7.16.1/images/sha256-8b55dd0bcf34783e5653a26da577cec14980a8ecf838cf3ab309329ebe0c124c?context=explore
|
Hi, will this be available as part of the helm chart at https://helm.elastic.co/ ? |
It seems that the 6.8.21 Docker image released today still contains plugins that depend on the vulnerable log4j library versions. This is misleading for anyone who updated to this version believing to have fixed the issue
any plan on releasing a version with plugin updates included? |
The issue is on the log4j-core jar that is loaded by "logstash-core", and that jar was upgraded to 2.15.0. |
We've updated the discuss advisory with more detailed information:
|
Question: |
Fyi there is a follow up CVE-2021-45046 https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/ suggests to update to log4j v2.16.0 EDIT: Elastic already updated their advisory to reflect that logstash is not affected by the new CVE. |
The mere presence of the exploit string in an event being processed by a pipeline was not sufficient to trigger the exploit. The payload needed to be constructed in such a way that the exploit string was logged, which would depend greatly on the pipeline's definition. |
I believe we can now close this issue. For any followups regarding this vulnerability, Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports and concerns of potential security issues or vulnerabilities should be sent via email to security@elastic.co. |
Hi Elastic,
A 0-day exploit CVE-2021-44228 in log4j package has been published and all Logstash versions 7.x are affected by a vulnerable version.
Vulnerability:
apache/logging-log4j2#608
Please look at it and advice on the best course of action to secure an Logsatash and prevent compromise ASAP.
Thanks!
EDIT: Maintainer's Note
Logstash 7.16.1 and 6.8.21 have been released today 2021-12-13 mitigating this issue by upgrading their Log4j libraries.
Details of the CVE as it applies to our products including Logstash, along with mitigations, can be found in our CVE notice post, which is kept up-to-date as information becomes available.
We are keeping this issue open until 2022-01-01 so that those coming to report the issue are able to use it to find a path forward.
-- @yaauie
The text was updated successfully, but these errors were encountered: