-
Notifications
You must be signed in to change notification settings - Fork 372
Log4Shell
RedELK prior to v2 beta 5 is vulnerable to Log4Shell. This is because:
- Logstash prior to version 7.16.3 is vulnerable.
- Neo4j mage prior to 4.2 is vulnerable
Other components are either not vulnerable or implemented in such a way that they are not exploitable. Well, at least that is what we think after a quick review. The result of the review was either way that we should upgrade, so that is what we did. You can track our discussion on this topic here.
-
Immediate mitigating measure is to disable Logstash on your RedELK server. This way, no new data will come to your RedELK server.
-
Long term solutions are twofold: new installation (preferred) or upgrade (not preferred, not extensively tested).
The preferred way is to nuke your RedELK install and install at least version v2.0.0.0beta5.
Warning, upgrading RedELK was never supported and never thought of. RedELK installs should not existing beyond a single operation, most likely at max a few months.
However, due to log4shell, we tried to see if upgrading is possible without breaking too much.
On your elkserver:
- Stop all redelk docker images:
docker stop $(docker ps -a -q --filter="name=redelk")
- Set the right RedELK version: In file
/elkserver/.env
setREDELKVERSION=v2.0.0-beta.5
- Disable Kibana app installation: In file
/elkserver/docker/redelk-kibana/Dockerfile
comment out the last line to disable the installation of the Kibana RedELK app. Should read like#RUN /usr/share/kibana/bin/kibana-plugin install https:/github.com/fastlorenzo/redelk-kibana-app/releases/download/v0.3.0/redelk-7.10.0.zip
- In your
docker-compose.yml
, update the used Neo4j image version of the 'bloodhound' container to 4.4.3, i.e.:image: neo4j:4.4.3
- run
docker-compose pull
, to pull the new image versions - run
docker-compose up -d
- Wait several minutes for
docker-compose
to complete. It could take a while before all containers are fully up and running. - Browse to your Kibana RedELK interface. This should work. If not, wait some more and maybe check the docker logs. You can safely ignore the error on
serverbaseUrl
(or something like that).
On all your c2 servers and redirectors:
- Make a backup of your filebeat config:
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.backupredelkupgrade
- stop the filebeat service:
service filebeat stop
- upgrade filebeat to 7.16.3:
apt-get update && apt-get install filebeat="7.16.3"
- If apt asks to overwrite the filebeat config file, say No. If apt did it anyway, well, you still got your backup config file.
- Start the filebeat service:
service filebeat start
You can check that new events are coming in on your RedELK server by looking for agent.version
fields containing 7.16.3