Open Distro 1.13.3 to cover Critical CVE-2021-44228 (log4j RCE)
1,010 views
Skip to first unread message
Steve Cook
Dec 13, 2021, 11:50:01 AM12/13/21
to Wazuh mailing list
Hi
Whats the timeframe for releasing opendistro 1.13.3 to the repo servers, as this is a fix for the critical CVE-2021-44228 for log4j?
Alfonso Ruiz-Bravo
Dec 13, 2021, 11:56:39 AM12/13/21
to Wazuh mailing list
Hello Steve!
2. Add the following line or set it to true:
-Dlog4j2.formatMsgNoLookups=true
4. Set users and permissions:chmod 750 disabledlog4j.options
chown root:elasticsearch disabledlog4j.options
Thank you for your interest in Wazuh.
Our team is working hard on this issue to be able to release an updated version as soon as possible.
In the immediate future, you can use the following workaround to mitigate the problem:
1. Create/Edit a new file within '/etc/elasticsearch/jvm.options.d' named 'disabledlog4j.options'
2. Add the following line or set it to true:
3. Save and exit the file.
4. Set users and permissions:
5. Restart the Elasticsearch service
service elasticsearch restartHope this helps, tell me otherwise.
Best regards,
Alfonso Ruiz-Bravo
Steve Cook
Dec 13, 2021, 12:23:56 PM12/13/21
to Wazuh mailing list
Thank you for the lightning quick response, you're a star.
Paul Robertson
Dec 13, 2021, 5:25:47 PM12/13/21
to Alfonso Ruiz-Bravo, Wazuh mailing list
Gmails reply default sucks;
Does this fix also take care of logstash, or just ElasticSearch?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/19eeba8c-224c-4290-832e-7205cfbdb09en%40googlegroups.com.
Alfonso Ruiz-Bravo
Dec 14, 2021, 4:11:55 AM12/14/21
to Paul Robertson, Wazuh mailing list
Hello Paul!
For Logstsash this workaround is not valid. Please find attached the official information provided by Elastic:
Logstash
Exposure to remote code execution exists on JDKs prior to 8u191. On newer versions of JDKs there is exposure to Denial of Service and information leakage, , but no known remote code execution exposure. Mitigation requires removal of the JndiLookup Class or update to Logstash version 6.8.21 or 7.16.1, which have been released on December 13th. Additional details below.
Exposure to remote code execution exists on JDKs prior to 8u191. On newer versions of JDKs there is exposure to Denial of Service and information leakage, , but no known remote code execution exposure. Mitigation requires removal of the JndiLookup Class or update to Logstash version 6.8.21 or 7.16.1, which have been released on December 13th. Additional details below.
. . .
Logstash announcement (ESA-2021-31)
When running on JDKs older than 8u191 and 11.0.1, an attacker is able to inject and execute a remote Java class. On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage, but no remote code execution attack vectors are known.
Affected Versions:
Logstash versions 5.0.0+ up to and including 7.16.0 contain a vulnerable version of Log4j.
Logstash versions 6.8.x and 7.x up to and including 7.16.0, when configured to run on JDKs below 8u191 and 11.0.1, allow for remote loading of Java classes.
Docker images below version 6.4.3 include a JDK older than 8u191, which means they are open to Remote Code Execution. Images 6.4.3+ don't have known RCE attacks but are still susceptible to Denial of Service and information leaks.
Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 16 or 7.16.1 61 which were released on December 13, 2021. These releases replace vulnerable versions of Log4j with Log4j 2.15.0.
The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect. It is therefore necessary to remove the JndiLookup class from the log4j2 core jar, with the following command:
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Please note that a restart of the Logstash process is necessary for the change to take effect.
When running on JDKs older than 8u191 and 11.0.1, an attacker is able to inject and execute a remote Java class. On recent JDKs the attack is limited to DoS - causing data ingestion to temporarily stop - and information leakage, but no remote code execution attack vectors are known.
Affected Versions:
Logstash versions 5.0.0+ up to and including 7.16.0 contain a vulnerable version of Log4j.
Logstash versions 6.8.x and 7.x up to and including 7.16.0, when configured to run on JDKs below 8u191 and 11.0.1, allow for remote loading of Java classes.
Docker images below version 6.4.3 include a JDK older than 8u191, which means they are open to Remote Code Execution. Images 6.4.3+ don't have known RCE attacks but are still susceptible to Denial of Service and information leaks.
Solutions and Mitigations:
Users should upgrade to Logstash 6.8.21 16 or 7.16.1 61 which were released on December 13, 2021. These releases replace vulnerable versions of Log4j with Log4j 2.15.0.
The widespread flag -Dlog4j2.formatMsgNoLookups=true is NOT sufficient to mitigate the vulnerability in Logstash in all cases, as Logstash uses Log4j in a way where the flag has no effect. It is therefore necessary to remove the JndiLookup class from the log4j2 core jar, with the following command:
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Please note that a restart of the Logstash process is necessary for the change to take effect.
Best regards,
 | Alfonso Ruiz-Bravo Cloud computing engineer  The Open Source Security Platform |
Utkarsh Bhargava
Jan 27, 2022, 11:16:59 AM1/27/22
to Wazuh mailing list
Hi Community,
I have updated this log4j mitigation script. After that Opendistro Reporting plugin has stopped working.
Everytime I tries to download a PDF/PNG report it gives me error "Error Downloading Report"
I looked into elasticsearch logs and didn't find any error while executing report download task.
I have attached the screenshot of the logs, please help me fix this bug.
On Dec 13 2021, at 10:26 pm, Alfonso Ruiz-Bravo <alfonso.r...@wazuh.com> wrote:
Hello Steve!Thank you for your interest in Wazuh.Our team is working hard on this issue to be able to release an updated version as soon as possible.In the immediate future, you can use the following workaround to mitigate the problem:1. Create/Edit a new file within '/etc/elasticsearch/jvm.options.d' named 'disabledlog4j.options'2. Add the following line or set it to true:-Dlog4j2.formatMsgNoLookups=true3. Save and exit the file.4. Set users and permissions:chmod 750 disabledlog4j.options chown root:elasticsearch disabledlog4j.options5. Restart the Elasticsearch serviceservice elasticsearch restartHope this helps, tell me otherwise.Best regards,Alfonso Ruiz-Bravo
On Monday, December 13, 2021 at 5:50:01 PM UTC+1 steve.cook....@gmail.com wrote:HiWhats the timeframe for releasing opendistro 1.13.3 to the repo servers, as this is a fix for the critical CVE-2021-44228 for log4j?
Reply all
Reply to author
Forward
0 new messages