EIQ-2021-0016-2#

ID	EIQ-2021-0016-2
CVE	CVE-2021-44228 CVE-2021-45046 CVE-2021-45105
Description	Log4j versions earlier than 2.15 have a remote code execution vulnerability, affecting Logstash. Supersedes EIQ-2021-0016.
Date	Updated 20 December 2021 16:15 CET 14 December 2021
Severity	3-HIGH
CVSSv3 score	10.0
Status	✅ Fixed in IC versions 2.9.4, 2.10.4, 2.11.1.
Assessment	Note Updated 20 December 2021 16:15 CET Added information regarding CVE-2021-45105. No change to advice. Added warning to not manually replace Log4j libraries with Log4j 2.17.x packages; may cause Elastic products to stop working. Clarified language in Elasticsearch section. No change to advice. Fixed: add existing JVM Option for Elasticsearch to mitigation summary. No change to advice. Updated 16 Dec 2021 17:20 CET Added information for Elasticsearch and Logstash regarding CVE-2021-45046. No change to advice. Amended Logstash mitigation with Elastic’s official advice on removing `JndiLookup.class` from vendor libraries. No significant change to advice; official mitigation is similar to advice we provided before this update. Updated Neo4j assessment with link to official Neo4j statement. No change to advice. Updated 15 Dec 2021 15:40 CET Amended advice for Elasticsearch. Changed to “affected” because instances running with JDK 8 are susceptible to DNS leak. Advice that Elasticsearch 7+ running JDK 8 is not susceptible to CVE-2021-44228 remains. Added additional Elasticsearch DNS leak info and mitigation. Added precautionary RCE mitigation for Elasticsearch. Updated 15 Dec 2021 09:00 CET Now includes information about `$LOGSTASH_HOME`. Updated to state that Hosted Intelligence Center instances do not use Logstash. This advisory supersedes EIQ-2021-0016 Caution This is a developing situation. Currently known immediate mitigations are covered in this advisory, while we investigate longer-term mitigations. Previously in EIQ-2021-0016, we described CVE-2021-44228 as mitigated in the Intelligence Center by using certain versions of JDK. This is no longer true as of 11 December 2021. The Intelligence Center is bundled with 4 Java applications, of which only Logstash appears to be affected. Not affected: Kibana, and Neo4j Kibana is not affected by the reported CVEs. (Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31) Neo4j 3.5 does not use the Log4j library. RCE 0-day exploit in log4j2 #12796 Apache Log4j Security Vulnerability (CVE-2021-44228) and Neo4j In our own investigation, we did not find affected files in the Neo4j packages that we bundle with Intelligence Center 2.9.x - 2.11.x. Mitigated: Hosted Intelligence Center Hosted Intelligence Center instances have implemented mitigations per Elastic’s security advice. Hosted environments do not use Logstash. Hosted environments are deployed with OpenJDK 14.0.1, mitigating the DNS leak issue with Elasticsearch. Mitigations for Elasticsearch Elasticsearch is not affected by CVE-2021-45105. Elasticsearch 7+ running JDK 8 is not susceptible to CVE-2021-44228 or CVE-2021-45046. Risk has been mitigated by Elsaticsearch’s Java Security Manager policies. (Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31) However, Elasticsearch 7+ running JDK 8 is still susceptible to a DNS information leak. To mitigate the DNS information leak: On the Elasticsearch host, add the following to the JVM options file: Caution If you are running the Elasticsearch installation bundled with the Intelligence Center, modify this file instead: `/etc/eclecticiq-elasticsearch/jvm.options`. -Dlog4j2.formatMsgNoLookups=true Restart the Elasticsearch service: [sudo] systemctl restart elasticsearch As a further precaution against CVE-2021-44228, you can remove ``JdniLookup.class`` from Elasticsearch packages: Tip Where `$ES_INSTALL_DIR` is the installation directory of Elasticsearch. Typically `/usr/share/elasticsearch`. Remove `JndiLookup.class` from your Elasticsearch host: [sudo] zip -q -d $ES_INSTALL_DIR/lib/log4j-core-2..jar org/apache/logging/log4j/core/lookup/JndiLookup.class Restart the Elasticsearch service: [sudo] systemctl restart elasticsearch Mitigations for Logstash* Logstash 7.9.1 is: Impacted by CVE-2021-44228. Not impacted by CVE-2021-45046. Not impacted by CVE-2021-45105. To mitigate CVE-2021-44228 within an Intelligence Center envionment, you should: Tip Where `$LOGSTASH_HOME` is the home directory of your Logstash installation. Typically `/usr/share/logstash`. Remove `JndiLookup.class` from your Logstash host: [sudo] zip -q -d $LOGSTASH_HOME/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class (Not required) You can also remove `JndiLookup.class` from the `logstash--tcp` libraries from your Logstash host. Elastic states that these files are not loaded by Logstash, but users can remove them with: [sudo] zip -q -d $LOGSTASH_HOME/vendor///logstashtcp.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Restart the Logstash service: [sudo] systemctl restart logstash Do not replace or upgrade affected Log4j packages used by Elasticsearch and Logstash versions bundled with the Intelligence Center Log4j 2.17.x should not be considered a drop-in replacement for affected Log4j libraries in Elastic products. Attempting to manually replace or upgrade the affected Log4j packages used by Elasticsearch and Logstash may cause them to stop working.
Mitigation	Upgrade the IC to >=2.9.4, >=2.10.4, >=2.11.1. If an upgrade is not possible, you can perform these mitigations: Remove the `JndiLookup` class file from Logstash. Set `-Dlog4j2.formatMsgNoLookups=true` in Elasticsearch JVM Options. See assessment for details.
Affected versions	2.9.x – 2.11.0 (affects Logstash and Elasticsearch 7.9.1) Hosted Intelligence Center instances have implemented mitigations; see assessment.
Notes	N/A