December 10th started with the public disclosure of the Apache Log4j vulnerability - CVE-2021-44228 affecting the popular open-source logging framework adopted by several Java based custom and commercial applications. Apache Log4j released a fix to this initial vulnerability in Log4j version 2.15.0.
However, the fix was incomplete and resulted in a potential DoS and data exfiltration vulnerability, logged as CVE-2021-45046. This new vulnerability was fixed in Log4j2 version 2.16.0. However, version 2.16.0 itself was also found vulnerable to another DoS vulnerability, leading to a new CVE-2021-45105, and the eventual release of Apache Log4j2 version 2.17.0. (source info ElasticSearch)
Where does this leave Platina LS? Platina uses Elastic Search 6 which Elasticsearch have released the following statement for:
“Elasticsearch 6 and 7 are not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch running on JDK8 or below is susceptible to an information leak via DNS which is fixable by the JVM option identified below.”
Our interpretation of the above is that Elasticsearch have investigated Log4j in more detail because of this vulnerability and found the DNS leak hence the advisory config change.
To apply the JVM option mentioned above please use the following steps:
To set the jvm option:
- Stop elastic search service
- Command line C:\elasticsearch-6.1.3\bin>elasticsearch-service.bat manager
- Java tab, scroll down to -Dlog4j2 settings and insert a line and pasted in -Dlog4j2.formatMsgNoLookups=true
- Click ok and restart elastic search service
- Check elastic log files for any errors.
For users that wish to patch to the Apache Log4j2 version 2.17.0.
We have internally tested this by upgrading our internal Elasticsearch cluster without any noticeable issues. The steps to perform this upgrade are as follows:
- Stop elastic search service on search server
- Navigate to Elastic search install location on the Elastic Search Server this is normally: C:\elasticsearch-6.1.3
- Backed up the lib folder
- Delete the files:
- Replace them with the equivalent files from the download apache-log4j-2.17.0-bin.zip. This can be done from Apache or we have a copy here.
- Restart the Elastic search service and check elastic log files for any errors.