CVE-2021-44228 has been recently published for log4j. As OpenSearch uses log4j, it would be good to understand the impact and what the plan may be to address any issues.

this has already been brought up here: [image] Log4j2 vulnerability in OpenSearch Security Hi all, I just became aware of this security issue that I think applies to OpenSearch since version 1.0.0 it’s basically an REC issue when log4j2 is used and process logs client r…

@robcowart you’ve probably seen the banner topic, but yep, we’re working on it. I agree with @ralph - let’s take it over to the other thread. [image] Log4j Patch for CVE-2021-44228 Announcements Update 2021-12-22: OpenSearch 1.2.3 is now available - please see Log4j Patc…

Actually I have “banner blindness”, like “ad blindness”. I did a search for CVE-2021-44228 before posting and got no result. Agreed keep it in a single thread.

We’re updated in both Open Distro and OpenSearch!

I cannot find any information if Logstash OSS with OpenSearch output is affected? And if so, how are we mitigating this? Thanks for the quick and great work.

@searchymcsearchface Is logstoash-oss affected or not? In the elastic article ( Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack ) there is a fix but the current opensearch oss logstash version is from 1 month.…

@victor / @thsul Logstash-oss is affected. OpenSearch doesn’t build Logstash (we only match the OSS version up with the the OpenSearch output plugin), so we’re reliant on Elastic’s release. The mitigations mentioned by Elastic in the forum post would apply. That being said, it looks like Elastic ha…

Thanks for the reply. Elastic released another patch.

Does CVE-2021-44228 impact OpenSearch

General Feedback

kris December 20, 2021, 7:24pm 10

We’re working on a 1.2.3 release - and will also work to update our Logstash Docker image

Topic		Replies	Views
Log4j Patch for CVE-2021-44228 Announcements cve	6	13510	February 15, 2023
OpenSearch 1.2.2 version still showing log4j Vulnerability findings Security cve , security-issue	13	1143	January 10, 2022
Logstash OSS with OpenSearch Output Plugin Log4j vulnerable OpenDistro cve , security-issue	7	1917	December 16, 2021
Log4j issue - CVE-2021-44832 Security discuss , cve , security-issue	16	1585	February 10, 2022
Log4j Patch for CVE-2021-45046 Announcements releases , cve	3	971	February 15, 2023

Does CVE-2021-44228 impact OpenSearch

Related topics