0-day in log4j package #81620
Comments
|
Duplicate of #81618 |
|
We are currently using two versions, 5.5.2 and 7.7.1. |
|
Added this to my |
|
I see #81624 merged, does that mean this also release a new docker image here: https://www.docker.elastic.co/r/elasticsearch/elasticsearch |
|
OpenSearch is patched, feel free to adopt :) |
@JerryGuos We have some 5.6.x Elastic infrastructure still running, and have dropped the resolved jar file in and removed the 2.8.x version (after stopping the service). Started the service afterwards and run some tests against it. This appears functional (albeit less-than-ideal). ymmv though. |
|
cc @Ark74, what about your Docker? |
is there any es v7.16.1 release plan ? |
|
Some sources state that simply adding "-Dlog4j2.formatMsgNoLookups=true" is not an acceptable mitigation, because there are too many variables that may make it weak or ineffective. When can we expect update of the log4j dependency for Elasticsearch? What versions will receive that update? |
|
@t0klian can you please provide links to these sources? |
|
@aSapien I've just re-phrased it to "some". |
|
@t0klian please share which variables other than |
|
我使用的
|
|
你这两个jar包是哪里来的?版本变了没影响吗?不改其他的参数设置的情况下 |
上面有网址呀 |
|
jar报的下载已经不行了,官方撤回了? |
https://logging.apache.org/log4j/2.x/download.html?spm=a2c4g.11174386.n2.3.37314c07isUvXE# 从这里下载 |
|
apache官方把 2.15.1 删除了,发布了 2.16.0 |
|
嗯嗯 谢谢 我也刚发现他发布了2.16 rc1 |
|
请问怎么验证这个问题被解决了呢?或者怎么复现 |
|
I made docker pull for Elasticsearch 7.16.1 and I still having problems with Log4j2 according with Aquasec scan. |
|
Elasticsearch 版本 7.16.1 已发布 |
|
I've just upgraded to 7.16.1 in Ubuntu, and it's still the log4j-api-2.11.1.jar in the share lib ? |
The version of log4j2 wasn't bumped, but the out-of-box logging configuration was updated to take into account the recommended mitigation strategies. https://www.elastic.co/guide/en/elasticsearch/reference/current/release-notes-7.16.1.html |
|
For the latest updates on this issue, please refer to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co. We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled. |
|
经过测试: 如果要升级 elasticsearch,需要将自己升级(调整)过的 jar 包还原。否则将无法重启。例如: 删除 自己添加的 /usr/share/elasticsearch/lib/log4j-api-2.16.0.jar 后,重启出现新错误: 删除 自己添加的 /usr/share/elasticsearch/lib/log4j-core-2.16.0.jar 后重启正常。 通过对上述报错与 /usr/share/elasticsearch/lib/ 文件夹分析可知,elasticsearch-7.16.1 (CentOS 使用 yum 安装,并从 7.13.3 升级至 7.16.1)使用 log4j-api-2.11.1.jar,同楼上回复一致。并且 elasticsearch-7.16.1 使用了 elasticsearch-log4j-7.16.1.jar 替换了 log4j-core。 下图是阿里云对 elasticsearch-7.13.3 扫描的结果,仅提示了 log4j-core-2.11.1.jar 存在漏洞,并未说明 log4j-api-2.11.1.jar 是否有问题。 如果大家觉得 log4j-api-2.11.1.jar 可能存在风险,可使用 log4j-api-2.16.0.jar 将其替换(经过测试,暂未发现问题)。 另外说明: |
|
Hello, may you consider this bug incompletely resolved as 6.8.21 Docker version sill contain log4j-core-2.11.1.jar |
|
Hi @julichan indeed Log4j has not been removed in total. See this satement: So if you looked inside the jar in 6.8.20 and earlier... This class would show up But now, there should be nothing to find |
|
Thanks for your quick reply |
|
As per the latest thread https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f, setting log4j.formatMsgNoLookups property to true does not mitigate the issue. |
|
@vishallalwani , the variable log4j.formatMsgNoLookups alone does not mitigate it. But if the faulty class JNDILookup is removed from the jar, it does! |
|
I have try following method for my es 6.2.2:
@kimchy seems you are es team, could you ask some body to check this solution? thank you very much. |
|
I tried solution suggested by @fishjam above for 7.14.1, but it is not working, ES does not startup properly. [2021-12-15T14:02:22,454][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [SK-FS-2K19] uncaught exception in thread [main] |
|
To add to my above comment, the same exact steps do work with 7.12.0 it seems. Unfortunately that is not an option for us because our application bundles 7.14.1 only and it is already out in market. |
|
reproduce the exception as sandeepk-veritas for 7.14.1. |
|
@fishjam thanks a lot for quick response. Yes, we will wait for official solution. |
We also plan to use this solution to fix the CVE. Is it an official recommendation? |
|
There is an advisory for fixes on 5.0.0-5.6.10 and 6.0.0-6.3.2: https://discuss.elastic.co/t/elasticsearch-5-0-0-5-6-10-and-6-0-0-6-3-2-log4j-cve-2021-44228-cve-2021-45046-remediation/292054 PS: Don't drop in the latest Log4j JAR — it's not that simple as you can see in #47298. But we're working on a bigger fix to move to the latest version. |
|
after analyze the Steps:
In my opinion, the log4j security issue in #47298 should be fixed in log4j. I will try to create a PR for it. |
|
With 7.14.1 and log4j2 2.16.0 jars in place, one option that I tried today is remove x-pack-deprecation and try to see if we ES is able to startup or not. |
Hi @xeraa , I have a version 6.8.1 running on Linux. I don't see instructions in the official advisory on that version, other than upgarde ES. I've tried @fishjam 's method to replace the 2.11.1 jars with 2.16.0. Restart the elasticsearch service and it runs fine without any error. Should I go with that approach if I don't want to upgrade ES right now? Thanks. |
|
there is already LOG4J2-3236 for "java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")" yesterday. |
|
To close the loop here: Elasticsearch 7.16.2 and 6.8.22 are out and they use Log4j 2.17.0. This is the version you really want :) |
|
does anyone know when 7.16.2 will be published to docker hub? |
|
Looks like it has been merged (docker-library/elasticsearch@53dedd3), but I'm not sure what it will take now to appear. In the meantime, you can always pull it from the Elastic repo: |
and others
Hi Elastic,
A 0-day exploit in
log4jpackage has been published and it looks like ElasticSearch could be affected by a vulnerable version:elasticsearch/build-tools-internal/version.properties
Lines 16 to 18 in 68836bb
Vulnerability:
apache/logging-log4j2#608
Please look at it and advice on the best course of action to secure an elastic cluster and prevent compromise ASAP.
Thanks!
The text was updated successfully, but these errors were encountered: