Hi all, I just became aware of this security issue that I think applies to OpenSearch since version 1.0.0 [image] Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package |... Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how t…

I am using opensearchproject/logstash-oss-with-opensearch-output-plugin:7.13.4 for logstash container. It cannot find the zip command. Any suggestions?

when I tried this, logstash container stopped because, it could not find the output plugin ‘opensearch’. what docker image are you using for logstash?

@usal - Hi, I am running the same setup as @blaklabz . I created a custom images with logstash 7.16.1 as base image and installing opensearch output plugin. Reference Dockerfile: FROM docker.elastic.co/logstash/logstash:7.16.1 RUN bin/logstash-plugin install logstash-output-opensearch And post tha…

Has someone checked if the JndiLookup.class is used or bundled somewhere else in the framework(s)? $ grep -ir "JndiLookup.class" /usr/ Binary file /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.3-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.3/lo…

The “Logstash OSS with OpenSearch Output Plugin” on the download page and the corresponding Docker images are months old and are therefore are still using the vulnerable log4j version. Will there be an update? If anything there should be a big warning next to those downloads that they are insecure. …

So I went to the link https://hub.docker.com/r/opensearchproject/logstash-oss-with-opensearch-output-plugin This was the link I used for the docker image image: repository: opensearchproject/logstash-oss-with-opensearch-output-plugin tag: latest But as others have mentioned, this image is 1 mo…

Updated Logstash OSS with OpenSearch Output Plugin now available as well [image] Log4j Patch for CVE-2021-45046 Announcements Update 2021-12-22: OpenSearch 1.2.3 is now available - please see Log4j Patch for CVE-2021-45105 2021-12-20: OpenSearch 1.2.3 is in progress whic…

there is a new log4j 2.17.0 out. Can a new OpenDistro docker image be published? [image] Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability | Read breaking news and high quality articles on cyber sec…

Would removing JndiLookup.class be enough to mitigate this vulnerability (CVE-2021-45105) which exists in 2.16? If not, then what is the mitigation process for this vulnerability both on OpenSearch and OpenDistro?

Log4j2 vulnerability in OpenSearch

Security

spapadop December 16, 2021, 12:48pm 50

There’s a thread on this. Bottom-line is that a new release is coming there.

Topic		Replies	Views
Logstash OSS with OpenSearch Output Plugin Log4j vulnerable OpenDistro cve , security-issue	7	1920	December 16, 2021
OpenSearch 1.2.2 version still showing log4j Vulnerability findings Security cve , security-issue	13	1183	January 10, 2022
Log4j Patch for CVE-2021-44228 Announcements cve	3	13529	December 16, 2021
Does CVE-2021-44228 impact OpenSearch General Feedback cve	9	1726	December 20, 2021
Log4j Patch for CVE-2021-45046 Announcements releases , cve	0	975	December 16, 2021

Log4j2 vulnerability in OpenSearch

Related topics