-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix log4j2 CVE-2021-44228 #360
Comments
Per https://www.elastic.co/blog/detecting-log4j2-with-elastic-security it looks like we should be able to turn off the vulnerable code paths with this JVM flag: |
@gnmerritt Unfortunately no, as per https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 :
|
@matprov ahh delightful, thanks for doing the additional digging |
Thanks for raising this and highlighting the solution! Have updated the repo to version 7.16.1 (ae7672d) and the images (regular and OSS) have been built — thereby fixing the issue. |
That's a good news @spujadas. |
I really hope that no one is actually using this image in production 😱 Anyway 😄 I haven’t kept the v6 branch up-to-date since v7 was released, so there are are a few cobwebs there. |
Great, thanks @spujadas for taking care of this issue! |
Logstash 2.0 - 2.15 packaged in this image is vulnerable to CVE-2021-44228.
See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
The text was updated successfully, but these errors were encountered: