Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix log4j2 CVE-2021-44228 #360

Closed
matprov opened this issue Dec 13, 2021 · 7 comments
Closed

Fix log4j2 CVE-2021-44228 #360

matprov opened this issue Dec 13, 2021 · 7 comments

Comments

@matprov
Copy link

matprov commented Dec 13, 2021

Logstash 2.0 - 2.15 packaged in this image is vulnerable to CVE-2021-44228.

See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
@gnmerritt
Copy link

Per https://www.elastic.co/blog/detecting-log4j2-with-elastic-security it looks like we should be able to turn off the vulnerable code paths with this JVM flag: JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true

@gnmerritt gnmerritt mentioned this issue Dec 13, 2021
Closed
@matprov
Copy link
Author

matprov commented Dec 13, 2021
edited
Loading

@gnmerritt Unfortunately no, as per https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 :

Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 or 7.16.1 once they are released (expected Monday 13th December). These releases will replace vulnerable versions of Log4j with Log4j 2.15.0.

The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect.

@gnmerritt
Copy link

@matprov ahh delightful, thanks for doing the additional digging

@spujadas
Copy link
Owner

Thanks for raising this and highlighting the solution!

Have updated the repo to version 7.16.1 (ae7672d) and the images (regular and OSS) have been built — thereby fixing the issue.

@matprov
Copy link
Author

matprov commented Jan 5, 2022

That's a good news @spujadas.
There is also the 6.x version (Logstash 6.8.22) that would need to be updated.
People running 6.x in prod might not be willing to update to 7.x at this time ;)

spujadas added a commit that referenced this issue Jan 5, 2022
@spujadas
Update ELK to 6.8.22 (see #360)
8417be2
@spujadas
Copy link
Owner

spujadas commented Jan 5, 2022

I really hope that no one is actually using this image in production 😱

Anyway 😄 I haven’t kept the v6 branch up-to-date since v7 was released, so there are are a few cobwebs there.
Still not planning to keep v6 up-to-date, but I do understand the urgency of updating to 6.8.22 for those still running v6, so I’ve updated the repo with the bare minimum changes to build 6.8.22, and built and published the image – with the caveat that all the new stuff in the current (v7) branch hasn’t been backported.

@matprov
Copy link
Author

matprov commented Jan 5, 2022

Great, thanks @spujadas for taking care of this issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

attempt to mitigate CVE-2021-44228 via JVM flags gnmerritt/elk-docker
3 participants
@gnmerritt @spujadas @matprov