Logstash is vulnerable due to log4j CVE-2021-44228

[t0klian]

Hi Elastic,

A 0-day exploit CVE-2021-44228 in log4j package has been published and all Logstash versions 7.x are affected by a vulnerable version.

Vulnerability:
apache/logging-log4j2#608

Please look at it and advice on the best course of action to secure an Logsatash and prevent compromise ASAP.

Thanks!

EDIT: Maintainer's Note

Logstash 7.16.1 and 6.8.21 have been released today 2021-12-13 mitigating this issue by upgrading their Log4j libraries.

Details of the CVE as it applies to our products including Logstash, along with mitigations, can be found in our CVE notice post, which is kept up-to-date as information becomes available.

We are keeping this issue open until 2022-01-01 so that those coming to report the issue are able to use it to find a path forward.

-- @yaauie

[davidferdinand]

log4j seems to have been updated in all branches, so just waiting for release of patch version.

[t0klian]

@davidferdinand thanks for reply. We.ll be waiting for binaries/Docker image rollout.

[jimmy0012]

Will this be released soon?

[yaauie]

The patch releases are in-flight, and documentation about the CVE, how it affects Logstash, and how to mitigate it are available here: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

[jimmy0012]

Thanks!

[Gaurav2Github]

Question:
Security Announcement says only Logstash versions v6.8.x and v7.x are affected.
What does that mean to older version of Logstash <=v6.7.x ?

[Venorcis]

Question: Security Announcement says only Logstash versions v6.8.x and v7.x are affected. What does that mean to older version of Logstash <=v6.7.x ?

There are also no details on the "information leakage" on JDKs above 8u191 and 11.0.1

[JonasKs]

@yaauie , I can see that 7.16.1 is released. Any plans for when the Docker image will be released as well?

[mendorf]

@yaauie , I can see that 7.16.1 is released. Any plans for when the Docker image will be released as well?

https://www.docker.elastic.co/r/logstash seems to have it already but not yet found on Docker Hub.

[jsvd]

Docker images are available in Elastic's registry:

❯ docker run -it docker.elastic.co/logstash/logstash:6.8.21 find /usr/share/logstash -name log4j-core*
/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.15.0.jar

❯ docker run -it docker.elastic.co/logstash/logstash:7.16.1 find /usr/share/logstash -name log4j-core*
/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.15.0.jar

[ingvaldlorentzen]

@jsvd will they be released to DockerHub soon though? A lot of people use that as their image source.

[hiredgunhouse]

Also please remember to update https://github.com/elastic/dockerfiles

EDIT:
I can see you did update that repo, but the default branch still points to 7.16.
If anyone is looking for the branch with the fix, use https://github.com/elastic/dockerfiles/tree/7.16-update-7.16.1

[neoKushan]

I can see that 6.8.21 has been released but I'm getting a 404 on the download page: https://www.elastic.co/downloads/past-releases/logstash-6-8-21 am I just being impatient and it'll be up soon or has something gone wrong with the release?

[jsvd]

The release is still happening, so you may find inconsistencies throughout the day, thanks for everyone's patience..

The dockerhub images may take longer to be available, as they also depend on external acceptance/validation.

[scottmitchellbp]

Is there anything planned for v6.6.x or can we simply update the log4j dependency as per the 6.8.21 fix?

[yaauie]

Is there anything planned for v6.6.x or can we simply update the log4j dependency as per the 6.8.21 fix?
-- @scottmitchellbp

6.8 is our maintenance branch for the 6.x major series and should be a safe upgrade from any point in the 6.x series -- while the mitigations in our CVE notice and/or manual application of related patches are likely to work from a technical standpoint, we have not validated their effectiveness on branches that are past their End of Life.

[amiga23]

6.8.21 is available now: https://artifacts.elastic.co/downloads/logstash/logstash-6.8.21.tar.gz

[travisje]

Per this post, it says affected versions are:

Logstash versions 6.8.x and 7.x up to and including 7.16.0, when configured to run on JDKs below 8u191 and 11.0.1, allow for remote loading of Java classes.

Does that mean 6.6.2 would not be affected by this vulnerability? I'm using the official image docker.elastic.co/logstash/logstash-oss:6.6.2.

Thanks

[bilaschandra]

Logstash 7.16.1 version is available in docker hub - https://hub.docker.com/layers/logstash/library/logstash/7.16.1/images/sha256-8b55dd0bcf34783e5653a26da577cec14980a8ecf838cf3ab309329ebe0c124c?context=explore

docker pull logstash:7.16.1

[peetasan]

Hi, will this be available as part of the helm chart at https://helm.elastic.co/ ?

[bruecktech]

It seems that the 6.8.21 Docker image released today still contains plugins that depend on the vulnerable log4j library versions. This is misleading for anyone who updated to this version believing to have fixed the issue

sh-4.2# find / -name "*log4j-api*"
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.11.1.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.4/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.4/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-5.1.9-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-5.1.9-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.11.1.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.15.0.jar

any plan on releasing a version with plugin updates included?

[jsvd]

The issue is on the log4j-core jar that is loaded by "logstash-core", and that jar was upgraded to 2.15.0.
You can find a more detailed answer here: #13500 (comment)

[jsvd]

Does that mean 6.6.2 would not be affected by this vulnerability? I'm using the official image docker.elastic.co/logstash/logstash-oss:6.6.2.

We've updated the discuss advisory with more detailed information:

Affected Versions:
Logstash versions 5.0.0+ up to and including 7.16.0 contain a vulnerable version of Log4j. The severity depends on the JDK used as stated above.
Docker images below version 6.4.3 include a JDK older than 8u191, which means they are open to Remote Code Execution. Images 6.4.3+ don't have known RCE attacks but are still susceptible to Denial of Service and information leaks.

[olexandrd]

Question:
Was Logstash vulnerable during parsing logs, for example, web access logs with prepared user agent?
Thanks in advance

[mendorf]

Fyi there is a follow up CVE-2021-45046 https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/ suggests to update to log4j v2.16.0

EDIT: Elastic already updated their advisory to reflect that logstash is not affected by the new CVE.

[yaauie]

Was Logstash vulnerable during parsing logs, for example, web access logs with prepared user agent?

The mere presence of the exploit string in an event being processed by a pipeline was not sufficient to trigger the exploit. The payload needed to be constructed in such a way that the exploit string was logged, which would depend greatly on the pipeline's definition.

[jsvd]

I believe we can now close this issue.

For any followups regarding this vulnerability, Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports and concerns of potential security issues or vulnerabilities should be sent via email to security@elastic.co.