Does CVE-2021-44228 impact OpenSearch

CVE-2021-44228 has been recently published for log4j. As OpenSearch uses log4j, it would be good to understand the impact and what the plan may be to address any issues.

this has already been brought up here:

i’d suggest to keep the discussions in one place

1 Like

@robcowart you’ve probably seen the banner topic, but yep, we’re working on it. I agree with @ralph - let’s take it over to the other thread.

Actually I have “banner blindness”, like “ad blindness”. I did a search for CVE-2021-44228 before posting and got no result. Agreed keep it in a single thread.

2 Likes

We’re updated in both Open Distro and OpenSearch!

2 Likes

I cannot find any information if Logstash OSS with OpenSearch output is affected? And if so, how are we mitigating this? Thanks for the quick and great work.

1 Like

@searchymcsearchface Is logstoash-oss affected or not? In the elastic article (Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack) there is a fix but the current opensearch oss logstash version is from 1 month. If logstash oss is affected, is there any bugfix in progress?

Thanks in advance

@victor / @thsul Logstash-oss is affected. OpenSearch doesn’t build Logstash (we only match the OSS version up with the the OpenSearch output plugin), so we’re reliant on Elastic’s release. The mitigations mentioned by Elastic in the forum post would apply.

That being said, it looks like Elastic has 1.16.1 out as of this morning. We have some engineers currently working on updating the distribution and confirming that the fix is in place.

3 Likes

Thanks for the reply. Elastic released another patch.

We’re working on a 1.2.3 release - and will also work to update our Logstash Docker image