Log4shell vulnerability

mlebeda · December 14, 2021, 10:36am

Hello, last week this vulnerability appeared: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec I randomly tried to find the version in the Elastic Search container “7.8.1” which is supposed to be vulnerable see Mitigate Log4j2 / Log4Shell in Elasticsearch The fix is only in the version >= 7.16.1 see Elasticsearch version 7.16.1 | Elasticsearch Guide [7.16] | Elastic
Do you have any plans to mitigate this vulnerability for elastic and maybe for more components in tutor edX?

regis · December 14, 2021, 12:02pm

Thanks for raising this issue @mlebeda. I was not quite sure how to address this because:

I wasn’t sure that elasticsearch was affected
I do not know how to reproduce the issue

Yet, I understand from the link you sent that it should be possible to mitigate the issue by adding -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS (source). So I’ll do that for the moment. If a better solution is proposed later we can always make a new release.

EDIT: it appears that Elasticsearch 7.8.1 is not affected by log4shell: Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack

Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager.

So I don’t think that there is anything we need to do in tutor. If someone thinks otherwise, please reach out privately to me by PM.

EDIT2: here is the JVM version currently used by elasticsearch in tutor:

$ tutor local run -p 9200:9200 elasticsearch
$ curl -XGET "http://localhost:9200/_nodes/jvm?pretty"
...
      "jvm" : {
        "pid" : 6,
        "version" : "14.0.1",
        "vm_name" : "OpenJDK 64-Bit Server VM",
        "vm_version" : "14.0.1+7",
        "vm_vendor" : "AdoptOpenJDK",
        "bundled_jdk" : true,
        "using_bundled_jdk" : true,
        "start_time_in_millis" : 1639484192292,
        "mem" : {
          "heap_init_in_bytes" : 1073741824,
          "heap_max_in_bytes" : 1073741824,
          "non_heap_init_in_bytes" : 7667712,
          "non_heap_max_in_bytes" : 0,
          "direct_max_in_bytes" : 0
        },
...

dancasey · December 16, 2021, 11:15am

In case anyone is using the older tutor V10.2 and is concerned about the Log4j2 vulnerability. Checking the Elasticsearch container it seems to use log4j (1.2.17) which is not vulnerable to the same issue as Log4j2. See snyk.io report

$ docker exec -it tutor_local_elasticsearch_1 bash
root@<container_id>:/usr/share/elasticsearch/lib# ls
# shows log4j-1.2.17.jar

If I am mistaken then please let me know.

system · March 16, 2022, 11:15am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.