ASTRAPI Posted December 11, 2021 Posted December 11, 2021 (edited) Hello There is a vulnerability that has been discovered in popular Java logging library Log4j 2 which may allow attackers to run code remotely on your servers. Apache Log4j 2 is bundled with and used in many Java applications including Elasticsearch. So if you are using Elastic Search you may be vulnerable. Vulnerability info: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 As there is no official patches out yet and the exploitation of the vulnerability already started you may want to apply a workaround until an official patch released: So for Elasticsearch version 6.4 and up: Edit your jvm.options configuration file usually located at: /etc/elasticsearch/jvm.options and edit at the end this line: -Dlog4j2.formatMsgNoLookups=true Then restart Elastic Search using something: systemctl restart elasticsearch If you are using ELastic Search version 6.3 and and any earlier version please upgrade asap to the latest supported version by Invision. The 6.3 and earlier versions are using an old version of Log4j which means the above workaround will not work ! Update also your JDK : When running on older JDKs, an attacker is able to inject and execute a remote Java class. On recent JDKs the attack is limited to potential DoS - causing data ingestion to temporarily stop - and information leakage, but no remote code execution attack vectors are known. Keep your servers secured !!!! Thanks Edited December 11, 2021 by ASTRAPI Kjell Iver Johansen and AlexJ 1 1
IveLeft... Posted December 12, 2021 Posted December 12, 2021 Good explanation here https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j
Recommended Posts