Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

Safe options for log4j2 - CVE-2021-44228 #841

Open
kcris opened this issue Dec 20, 2021 · 4 comments
Open

Safe options for log4j2 - CVE-2021-44228 #841

kcris opened this issue Dec 20, 2021 · 4 comments
Labels
triage/stale

Comments

@kcris
Copy link

kcris commented Dec 20, 2021
edited
Loading

Given the recent log4j2 security issue
it's a good idea to use -Dlog4j2.formatMsgNoLookups=true in the ES role's jvm.options
@kcris kcris changed the title safe options for log4j2 Safe options for log4j2 - CVE-2021-44228 Dec 20, 2021
@hendry-lim
Copy link

It was added as the default JVM option in Elasticsearch 7.16.1 81622.

@kcris
Copy link
Author

kcris commented Dec 21, 2021

indeed, but what about older ES versions?

@hendry-lim
Copy link

The default version for the role has been upgraded to 7.16.2.
Even with that flag added, it will still be vulnerable to CVE-2021-45046 without removing the JNDI class, hence the recommendation is to upgrade to 7.16.2.

@botelastic
Copy link

botelastic bot commented Jun 24, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
triage/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcris @hendry-lim