0-day in log4j package

[aSapien]

Hi Elastic,

A 0-day exploit in log4j package has been published and it looks like ElasticSearch could be affected by a vulnerable version:

elasticsearch/build-tools-internal/version.properties

Lines 16 to 18 in 68836bb

	# when updating log4j, please update also docs/java-api/index.asciidoc
	log4j = 2.11.1
	slf4j = 1.6.2

Vulnerability:
apache/logging-log4j2#608

Please look at it and advice on the best course of action to secure an elastic cluster and prevent compromise ASAP.

Thanks!

Duplicate of #81618
Mitigation in there as well.

[JerryGuos]

We are currently using two versions, 5.5.2 and 7.7.1.
For log4j-2.10.x , I can add -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS.
However, in version 5.5.2, the version is 2.8.2 and -Dlog4j2.formatMsgNoLookups=true is invalid.

[jaywilliams]

Added this to my /etc/elasticsearch/jvm.options file to set the flag.

# CVE-2021-44228
-Dlog4j2.formatMsgNoLookups=true

[akx]

Looks like #81622, #81623, #81624, #81625 are addressing this. :)

[mehta-ankit]

I see #81624 merged, does that mean this also release a new docker image here: https://www.docker.elastic.co/r/elasticsearch/elasticsearch
Or will that happen when a new release is cut for 7.16 (like 7.16.1) ? nvm i see the label 7.16.1 on the PR

[jkowall]

OpenSearch is patched, feel free to adopt :)

opensearch-project/OpenSearch#1698

[p-ob]

We are currently using two versions, 5.5.2 and 7.7.1.
For log4j-2.10.x , I can add -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS.
However, in version 5.5.2, the version is 2.8.2 and -Dlog4j2.formatMsgNoLookups=true is invalid.

@JerryGuos We have some 5.6.x Elastic infrastructure still running, and have dropped the resolved jar file in and removed the 2.8.x version (after stopping the service). Started the service afterwards and run some tests against it. This appears functional (albeit less-than-ideal).

ymmv though.

[enoch85]

cc @Ark74, what about your Docker?

[tanguofu]

I see #81624 merged, does that mean this also release a new docker image here: https://www.docker.elastic.co/r/elasticsearch/elasticsearch Or will that happen when a new release is cut for 7.16 (like 7.16.1) ? nvm i see the label 7.16.1 on the PR

is there any es v7.16.1 release plan ?

[t0klian]

Some sources state that simply adding "-Dlog4j2.formatMsgNoLookups=true" is not an acceptable mitigation, because there are too many variables that may make it weak or ineffective.

When can we expect update of the log4j dependency for Elasticsearch? What versions will receive that update?

[aSapien]

@t0klian can you please provide links to these sources?

[t0klian]

@aSapien I've just re-phrased it to "some".