Log4j2 vulnerability in OpenSearch

Hi all,

I just became aware of this security issue that I think applies to OpenSearch since version 1.0.0

it’s basically an REC issue when log4j2 is used and process logs client requests.

would like to see what people think and if there is any plan to patch this.

Thank you,
Long

3 Likes

Hey @longhoang - we’re working on it.

Is it safe to use the log4j2.formatMsgNoLookups=true JVM option with Elasticsearch? I would assume so, but wanted to ask before making any changes.

@dswitzer2 We’re working to figure out if that covers it.

I know you are all busy, but hopefully, your resolution will cover Opendistro also, since I am not yet able to cross-grade to Opensearch.

Opendistro v1.13.2
ES-oss v 7.10.2

tx,
rlk

@rlk5546 Yeah - we’re looking at an Open Distro fix currently. We wanted to get OpenSearch out of the way first.

1 Like

Preliminarily, it looks like the log4j2.formatMsgNoLookups mitigation is acceptable, but not ideal. This will be the path for some users that will be difficult to upgrade. Stay tuned.

Look like version 1.2 is patched https://github.com/opensearch-project/OpenSearch/commit/e3a44fa71b290fb265a94ef4297f044b9a63a762. But there is no updated docker image version yet, did I miss it somewhere or it will take some time for the image to be published in dockerhub?

@tomas123 No - it’s not out yet. Having a patch in the code vs the distribution out is quite different. Working on getting it out this morning.

1 Like

Hey folks - OpenSearch and Open Distro have both been updated.

3 Likes

Do we know if there is likely to be any backports available for the earlier versions of OpenDistro too?

Hello @daleo - welcome to the forums.

The only release update I know of for OpenDistro is 1.13.3.
This blog post has a link to further information regarding “For those who cannot upgrade to 1.13.3”:
https://opendistro.github.io/for-elasticsearch/blog/2021/12/update-to-1-13-3/

Checking to make sure - have all the repositories been updated as well? Yum, Apt, Dockerhub etc…

Checking to make sure - have all the repositories been updated as well? Yum, Apt, Dockerhub etc…

i’m wondering the same… we’re working on upgrading to a docker based opensearch system but still have debian package based open distro cluster out there… could really use a open distro debian package release for this vuln

1 Like

The Open Distro deb and rpm packages are built on top of the upstream Elasticsearch deb and rpm packages, and those upstream packages are what contains the Log4j2 jars. So we’ve been looking really hard at what the options are for distributing a release that contains a fix, and there are fewer options here than there are for the .tgz and Docker builds.

Right now it looks like we’d need to develop a deb & rpm packaging process more or less from scratch, and doing that in a way that retains backward compatibility and upgradeability for existing users is underway and will likely take several weeks of development.

If you’re using Open Distro < 1.13.2 or the Open Distro 1.13.2 deb/rpm packages, please apply one of the mitigations from the Log4j2 website in the section beginning “For those who cannot upgrade to 2.15.0…”. All users can and should do this immediately, while we work to create deb/rpm packages that have at least one of these mitigations built-in by default.

3 Likes

HI @daleo , Open Distro has historically always applied security fixes to the latest version. If you are unable for any reason to upgrade to version 1.13.3, please apply one of the mitigations from the Log4j2 website in the section beginning “For those who cannot upgrade to 2.15.0…”.

2 Likes

Is there any plan to release stand-alone OpenDistro plugins for 1.13.3?
(Like described here: Standalone Elasticsearch Plugin Install - Open Distro Documentation)

Hi,
Which logstash do you recomand to use for opendistro 1.13.3 in order to have that vulns fixed?
They are gonna fix for logstash 7.16.1 which isn’t compatible with opendistro.
Thanks!

Any updates for those of us who are using helm to deploy opendistro? I upgraded the image to 1.13.3 and got an error.

#editz - so looks like if i leave the kibana image to 1.13.2 and change the elasticsearch image to 1.13.3 we are good the service starts. Can I get confirmation this is the desired state for helm?

Ahh thanks for that link, this confirms what i was seeing.

Let me verify what’s being done on that front. As I understanding it, the Open Distro distribution was patched by removing class paths, not really a rebuild.