EIQ-2021-0016-2#

ID

EIQ-2021-0016-2

CVE

Description

Log4j versions earlier than 2.15 have a remote code execution vulnerability, affecting Logstash.

Supersedes EIQ-2021-0016.

Date

Updated 20 December 2021 16:15 CET

14 December 2021

Severity

3-HIGH

CVSSv3 score

10.0

Status

✅ Fixed in IC versions 2.9.4, 2.10.4, 2.11.1.

Assessment

Note

Updated 20 December 2021 16:15 CET

  • Added information regarding CVE-2021-45105. No change to advice.

  • Added warning to not manually replace Log4j libraries with Log4j 2.17.x packages; may cause Elastic products to stop working.

  • Clarified language in Elasticsearch section. No change to advice.

  • Fixed: add existing JVM Option for Elasticsearch to mitigation summary. No change to advice.

Updated 16 Dec 2021 17:20 CET

  • Added information for Elasticsearch and Logstash regarding CVE-2021-45046. No change to advice.

  • Amended Logstash mitigation with Elastic’s official advice on removing JndiLookup.class from vendor libraries. No significant change to advice; official mitigation is similar to advice we provided before this update.

  • Updated Neo4j assessment with link to official Neo4j statement. No change to advice.

Updated 15 Dec 2021 15:40 CET

  • Amended advice for Elasticsearch. Changed to “affected” because instances running with JDK 8 are susceptible to DNS leak.

  • Advice that Elasticsearch 7+ running JDK 8 is not susceptible to CVE-2021-44228 remains.

  • Added additional Elasticsearch DNS leak info and mitigation.

  • Added precautionary RCE mitigation for Elasticsearch.

Updated 15 Dec 2021 09:00 CET

  • Now includes information about $LOGSTASH_HOME.

  • Updated to state that Hosted Intelligence Center instances do not use Logstash.

This advisory supersedes EIQ-2021-0016

Caution

This is a developing situation. Currently known immediate mitigations are covered in this advisory, while we investigate longer-term mitigations.

Previously in EIQ-2021-0016, we described CVE-2021-44228 as mitigated in the Intelligence Center by using certain versions of JDK. This is no longer true as of 11 December 2021.

The Intelligence Center is bundled with 4 Java applications, of which only Logstash appears to be affected.

Not affected: Kibana, and Neo4j

Mitigated: Hosted Intelligence Center

  • Hosted Intelligence Center instances have implemented mitigations per Elastic’s security advice.

  • Hosted environments do not use Logstash.

  • Hosted environments are deployed with OpenJDK 14.0.1, mitigating the DNS leak issue with Elasticsearch.

Mitigations for Elasticsearch

  • Elasticsearch is not affected by CVE-2021-45105.

  • Elasticsearch 7+ running JDK 8 is not susceptible to CVE-2021-44228 or CVE-2021-45046. Risk has been mitigated by Elsaticsearch’s Java Security Manager policies. (Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31)

  • However, Elasticsearch 7+ running JDK 8 is still susceptible to a DNS information leak.

  • To mitigate the DNS information leak:

    1. On the Elasticsearch host, add the following to the JVM options file:

      Caution

      If you are running the Elasticsearch installation bundled with the Intelligence Center, modify this file instead: /etc/eclecticiq-elasticsearch/jvm.options.

      -Dlog4j2.formatMsgNoLookups=true
      
    2. Restart the Elasticsearch service:

      [sudo] systemctl restart elasticsearch
      
  • As a further precaution against CVE-2021-44228, you can remove ``JdniLookup.class`` from Elasticsearch packages:

    Tip

    Where $ES_INSTALL_DIR is the installation directory of Elasticsearch. Typically /usr/share/elasticsearch.

    1. Remove JndiLookup.class from your Elasticsearch host:

      [sudo] zip -q -d $ES_INSTALL_DIR/lib/log4j-core-2.*.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class
      
    2. Restart the Elasticsearch service:

      [sudo] systemctl restart elasticsearch
      

Mitigations for Logstash

Logstash 7.9.1 is:

  • Impacted by CVE-2021-44228.

  • Not impacted by CVE-2021-45046.

  • Not impacted by CVE-2021-45105.

To mitigate CVE-2021-44228 within an Intelligence Center envionment, you should:

Tip

Where $LOGSTASH_HOME is the home directory of your Logstash installation. Typically /usr/share/logstash.

  1. Remove JndiLookup.class from your Logstash host:

    [sudo] zip -q -d $LOGSTASH_HOME/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
    
  2. (Not required) You can also remove JndiLookup.class from the logstash-*-tcp libraries from your Logstash host. Elastic states that these files are not loaded by Logstash, but users can remove them with:

    [sudo] zip -q -d $LOGSTASH_HOME/vendor/**/*/logstash*tcp*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    
  3. Restart the Logstash service:

    [sudo] systemctl restart logstash
    

Do not replace or upgrade affected Log4j packages used by Elasticsearch and Logstash versions bundled with the Intelligence Center

Log4j 2.17.x should not be considered a drop-in replacement for affected Log4j libraries in Elastic products. Attempting to manually replace or upgrade the affected Log4j packages used by Elasticsearch and Logstash may cause them to stop working.

Mitigation

Upgrade the IC to >=2.9.4, >=2.10.4, >=2.11.1.

If an upgrade is not possible, you can perform these mitigations:

  • Remove the JndiLookup class file from Logstash.

  • Set -Dlog4j2.formatMsgNoLookups=true in Elasticsearch JVM Options.

See assessment for details.

Affected versions

2.9.x – 2.11.0 (affects Logstash and Elasticsearch 7.9.1)

Hosted Intelligence Center instances have implemented mitigations; see assessment.

Notes

N/A