How to Mitigate the Stated Vulnerabilities on Wazuh server

[prachi katakwar]

Hi  Wazuh Team,

Hope you are doing great and enjoying the summers, at my end it's summers!!

So today we caught 2 high vulnerabilities on our Wazuh server, one is Apache Log4j and the other one is OpenJDK7.

Not sure about the steps to remove the below 2 vulnerabilities, Could you please guide me..

The other one is : OpenJDK 7 <= 7u311 / 8 <= 8u302 / 11.0.0 <= 11.0.12 / 13.0.0 <= 13.0.8 / 15.0.0 <= 15.0.4 / 16.0.0 <= 16.0.2 Multiple Vulnerabilities

And the solution for it is below but not very confident about the steps to implement it.

BR

//Prachi

[Awwal Ishiaku]

Hello Prachi,

Run the following commands on the Elasticsearch server to mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability - CVE-2021-44228 - ESA-2021-31.

# mkdir -p /etc/elasticsearch/jvm.options.d

# echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options

# chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options

# chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

Restart Elasticsearch to apply the changes

# systemctl restart elasticsearch

Let me know if you need further clarification.

Regards.

[prachi katakwar]

Hi Awwal,

Hope you are well.

Please don't take me otherwise but did you get the chance to read the email carefully?

Are my screenshots visible to you?

In the first screenshot, regarding  Apache Log4j, the solution given in the screenshot is to upgrade 

Upgrade to Apache Log4j version 2.3.1 / 2.12.3 / 2.15.0 or later, or apply the vendor mitigation on the below two paths:

Path              : /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
  Installed version : 2.11.1
  Fixed version     : 2.12.2

Path              : /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.14.2.jar
  Installed version : 2.11.1
  Fixed version     : 2.12.2

I have applied your solution but nothing worked, also did you check the 2nd screenshot vulnerability regarding OpenJDK 7 <= 7u311 / 8 <= 8u302 / 11.0.0 <= 11.0.12 / 13.0.0 <= 13.0.8 / 15.0.0 <= 15.0.4 / 16.0.0 <= 16.0.2 Multiple Vulnerabilities ?

BR 

//Prachi

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2398a704-47ac-4d56-a888-b7bfef5b187en%40googlegroups.com.

[Awwal Ishiaku]

Hello,

The vulnerable component is Elasticsearch. According to Elastic, Elasticsearch is not be vulnerable if configured this way https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Wazuh will be releasing version 4.3 soon which will include a new component (Wazuh indexer) that will replace Elasticsearch.

Let me know if you need further clarification.

Regards

[prachi katakwar]

Ok Awwal.

But how about the second one?

The other one is : OpenJDK 7 <= 7u311 / 8 <= 8u302 / 11.0.0 <= 11.0.12 / 13.0.0 <= 13.0.8 / 15.0.0 <= 15.0.4 / 16.0.0 <= 16.0.2 Multiple Vulnerabilities

And the solution for it is below but not very confident about the steps to implement it.

BR

//Prachi

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f0b427f8-5d42-4acf-895e-5479b309aa94n%40googlegroups.com.

[Shahd alDuehim]

Hi all, 

I am recieving the same vulnerabilities as Prachi stated. 

I highly seek your support yo provide us with solution to remediate these vulnerabilities especially for the OpenJDK one  

Thanks, 

BR 

Shahd