Patch log4j JAR to remove JndiLookup class #81629
Conversation
mark-vieira
added
:Delivery/Packaging
|
Pinging @elastic/es-delivery (Team:Delivery) |
|
@elasticmachine run elasticsearch-ci/part-1 |
|
@mark-vieira are you able to share the compatibility issue with log4j 2.15.0? (I didn't see any breaking changes in the manually-prepared version of their changelog, and understand there may be build issues in practice) |
|
Which Versions will get this Patch backported? |
| @@ -275,6 +275,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) { | |||
| } | |||
| } | |||
| } | |||
| all { | |||
| resolutionStrategy.dependencySubstitution { | |||
| substitute module("org.apache.logging.log4j:log4j-core") using project(":libs:elasticsearch-log4j") because "patched to remove JndiLookup clas"} | |||
There was a problem hiding this comment.
There is a small typo in clas.
There was a problem hiding this comment.
It would also be a good idea to put the } on a separate line for readability.
There was a problem hiding this comment.
Also, clas -> class (sorry for my OCD)
There was a problem hiding this comment.
Good catch. I was slightly... rushed 😉
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
I was informed by a teammate it would involve other code changes in Elasticsearch. I don't have the details right now but at the time given we wanted to get a fix out as quickly as possible we went the route of just patching the JAR. Our intention is to remove this in lieu of an updated log4j version eventually though. |
|
Thanks @mark-vieira for your time to respond (not to mention for the fix itself!). Completely understood re: the urgency of preparing a patched release. |
|
hi team are we still trying to bump the log4j version as a permanent fix? |
Yes, we still intend to upgrade log4j as a permanent solution here. |
|
@mark-vieira, do you have an ETA for when the log4j version update change will be released? |
|
No specific ETA at the moment but this is high priority for us. |
|
Do you plan to backport to 7.12.x version please? Because it is for example still supported by Spring Boot platform 2.5.x:
Thanks |
|
There is log4j 2.16.0 already |
|
Removing the JndiLookup class looks to have migrated CVE-2021-45046 |
|
Yes, but it looks like still vulnerable: https://twitter.com/cyb3rops/status/1470791578046406657?s=21. |
@hanusto The Elasticsearch dependency that Spring Boot brings in does not include a log4j implementation by default as it's an optional dependency. If you are using |
|
@mark-vieira but what I am trying to say is that Spring Boot supports the version of ES and the version of ES is vulnerable. So it is not about ES client used by SB but only about statement that SB app should be connected to vulnerable ES. If you will use newer version of ES, SB will say that there is some incompatibility. |
Understood. We don't intend to backport fixes to earlier unsupported versions of Elasticsearch. For Elasticseaarch 7.12 you are not vulnerable if running with Java 9 or later due to the behavior of the Java Security Manager. Alternatively you can add |
|
Xray scanning reports 7.16.1 still has log4j-core in elasticsearch-sql-cli.jar, which is located in /usr/share/elasticsearch/bin folder. ~/bin$ ls |
This reverts commit 9a3422e.
That is correct. We determined this wasn't an issue given that JAR isn't on the Elasticsearch server classpath. This is a "fatjar" bundled to be used as a CLI tool so is not susceptible to RCE. |
This reverts commit 9a3422e.
|
We installed logstash-7.16.1-1.x86_64 rpm on a Amazon Linux release 2 (Karoo) from https://artifacts.elastic.co/packages/7.x/yum and in /usr/share/logstash we executed and got Are you really sure that the JndiLookup class is removed in 7.16.1 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 is resolved??? |
|
The class file was only removed for Elasticsearch, not Logstash given that Logstash simply upgraded to Log4j to mitigate 2.15.0. It looks like Logstash has already already upgraded to Log4j 2.16.0 which further mitigates the CVE you mention and that should be available in the next release. |
|
@Marv1995 please see the earlier comment. |
We've all heard about the log4j vulnerability by now. We have other ways to mitigate this issue but since we can't completely block usages of this via SecurityManager, just blow this thing away altogether.
We could also upgrade to log4j 2.15.0 but there are compatibility issues with that.