Fix log4j2 CVE-2021-44228 about elk-docker HOT 7 CLOSED

@matprov ahh delightful, thanks for doing the additional digging

from elk-docker.

Thanks for raising this and highlighting the solution!

Have updated the repo to version 7.16.1 (ae7672d) and the images (regular and OSS) have been built — thereby fixing the issue.

from elk-docker.

@gnmerritt Unfortunately no, as per https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 :

Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 or 7.16.1 once they are released (expected Monday 13th December). These releases will replace vulnerable versions of Log4j with Log4j 2.15.0.

The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect.

from elk-docker.

I really hope that no one is actually using this image in production 😱

Anyway 😄 I haven’t kept the v6 branch up-to-date since v7 was released, so there are are a few cobwebs there.
Still not planning to keep v6 up-to-date, but I do understand the urgency of updating to 6.8.22 for those still running v6, so I’ve updated the repo with the bare minimum changes to build 6.8.22, and built and published the image – with the caveat that all the new stuff in the current (v7) branch hasn’t been backported.

from elk-docker.

Per https://www.elastic.co/blog/detecting-log4j2-with-elastic-security it looks like we should be able to turn off the vulnerable code paths with this JVM flag: JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true

from elk-docker.

That's a good news @spujadas.
There is also the 6.x version (Logstash 6.8.22) that would need to be updated.
People running 6.x in prod might not be willing to update to 7.x at this time ;)

from elk-docker.

Great, thanks @spujadas for taking care of this issue!

from elk-docker.