Log4j2 vulnerability in OpenSearch

Dhivya · January 3, 2022, 12:44pm

Hello All

Happy New Year to everyone!

In order to fix the log4j vulnerability, I tried to install the latest logstah oss version 7.16.2 and we are using OpenDistro ElasticSearch of version 1.13.3 ( recently upgraded from 1.13.2 to 1.13.3 due to log4j issue).

I could notice 'Compatibility errors" after installing and starting the logstash service.
Please let us know if the logstash-oss 7.16.2 is not compatible with OpenDistro ElasticSearch 1.13.3.
If yes, could you please confirm if this will be fixed in the future logstash-oss versions?

Error logs:

Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2022-01-03T13:39:33,407][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2022-01-03T13:39:33,421][INFO ][logstash.runner ] Starting Logstash {“logstash.version”=>“7.16.2”, “jruby.version”=>“jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 25.302-b08 on 1.8.0_302-b08 +indy +jit [linux-x86_64]”}
[2022-01-03T13:39:34,743][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-01-03T13:39:36,327][INFO ][org.reflections.Reflections] Reflections took 70 ms to scan 1 urls, producing 119 keys and 417 values
[2022-01-03T13:39:37,703][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>“LogStash::Outputs::ElasticSearch”, :hosts=>[“https://msb-elk.de050.corpintra.net:9200”]}
[2022-01-03T13:39:37,742][WARN ][logstash.outputs.elasticsearch][main] ** WARNING ** Detected UNSAFE options in elasticsearch output configuration!
** WARNING ** You have enabled encryption but DISABLED certificate verification.
** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true
[2022-01-03T13:39:38,072][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[https://elastic:xxxxxx@msb-elk.de050.corpintra.net:9200/]}}
[2022-01-03T13:39:38,479][ERROR][logstash.javapipeline ][main] Pipeline error {:pipeline_id=>“main”, :exception=>#<LogStash::ConfigurationError: Could not connect to a compatible version of Elasticsearch>, :backtrace=>[“/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-11.2.3-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:247:in `block in healthcheck!'”

Thanks in advance!

jathin12 · January 5, 2022, 10:51pm

maybe migrate to opensearch or amazon_es output plugins for logstash.

longhoang · January 6, 2022, 10:33pm

Hi @kris , is there plan to release OpenSearch 1.2.4 with log4j 2.17.1?

John · January 6, 2022, 11:27pm

@longhoang Yes, it will have Log4j 2.17.1. See below link.

Bump log4j to 2.17.1 · Issue #1548 · opensearch-project/security · GitHub

kris · January 7, 2022, 4:38am

thanks @John - correct @longhoang, that is what we’re evaluating currently

longhoang · January 7, 2022, 5:41am

awesome, thanks guys
any chance you are aware of ETA of 1.2.4?

kris · January 7, 2022, 6:11am

@longhoang no ETA yet

JulesGraybill · January 11, 2022, 4:52pm

Update: we’re going to aim for Jan 18 to release 1.2.4. Feel free to follow progress on the Github issue.

ravibhooshan · January 25, 2022, 3:25am

Hi All, Need help/suggestion on remediating log4j vulnerability in my OD setup.
I am running 0.10.0 (ES version 6.8.1). I am running RHEL7 with JDK 11.
By going through all messages here and on ES website, it seems We are not affected by 2 of CVE but we will have remediate other 2.
But our security is asking u sin any case upgrade log4j from 2.11.
Now I have 2 questions:
Do we have any tested doc for upgrading log4j only in OD 0.10.0 setup
Can I upgrade from OD 0.10.0(6.8.1) to ES 6.8.23 version which has mitigated all vulnerabilities.

We can upgrade/migrate to ES 7.x.

Any suggestion will be appreciated.
Thanks.

John · January 25, 2022, 4:55pm

Hello @ravibhooshan , regarding you question about upgrading Log4j without upgrading anything else, I would imagine that would be unsupported. The differences in the way Log4j handles things between versions may cause issues if not upgrading everything together. Also, for the time being, there is an upgrade path between OpenDistro for Elasticsearch and OpenSearch however, this may not be the case in the future depending on the differences. I would suggest migrating to OpenSearch as a way to stay current on features, performance optimizations and security. Below is one document on how to perform the upgrade process that may help you.

Upgrade from Elasticsearch OSS to OpenSearch - OpenSearch documentation

leonsery · January 27, 2022, 2:30pm

Hi,
We uses logstash on Windows machines, but on download page there is no such version for new logstash with OpenSearch output plugin!!! What we can do to protect our customers from log4j vulnerability?
Thanks

searchymcsearchface · January 27, 2022, 2:36pm

You’ll need to get Logstash and the output plugin separately.

Download Logstash OSS
Download Logstash Output Plugin for OpenSearch or as a Ruby Gem

leonsery · January 30, 2022, 4:15pm

(post deleted by author)

Topic		Replies	Views
OpenSearch 1.2.2 version still showing log4j Vulnerability findings Security cve , security-issue	13	1090	January 10, 2022
Does CVE-2021-44228 impact OpenSearch General Feedback cve	9	1674	December 20, 2021
Log4j Patch for CVE-2021-44228 Announcements cve	6	13428	February 15, 2023
Log4j issue - CVE-2021-44832 Security discuss , cve , security-issue	16	1409	February 10, 2022
Log4j Patch for CVE-2021-45046 Announcements releases , cve	3	956	February 15, 2023

Log4j2 vulnerability in OpenSearch

Related topics