{"id":11218,"date":"2021-12-20T12:41:00","date_gmt":"2021-12-20T17:41:00","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=11218"},"modified":"2024-11-07T12:56:14","modified_gmt":"2024-11-07T17:56:14","slug":"elasticsearch-7-7-0-log4j-vulnerability-remediation","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=11218","title":{"rendered":"ElasticSearch 7.7.0 Log4J Vulnerability Remediation"},"content":{"rendered":"\n

We are a little stuck with our ElasticSearch implementation — we need the OpenDistro authentication, so either need to buy newer ElasticSearch or move to OpenSearch. That’s an ongoing project, but it won’t be accomplished in a timely fashion to address these log4j issues. <\/p>\n\n\n\n

To address the existing Log4J issues in ElasticSearch<\/a> as well as, evidently, another challenge that meant a new log4j build over the weekend, I am manually replacing the Log4j jar files for ElasticSearch 7.7.0, OpenDistro Security, and the S3 backup plugin. The 2.11.1 version that was bundled with the distribution can be replaced with the 2.17.0 release from Dec 18th. <\/p>\n\n\n\n

The new JARs can be downloaded from Maven Repo at:<\/p>\n\n\n\n

https:\/\/mvnrepository.com\/artifact\/org.apache.logging.log4j\/log4j-core\/<\/a>
https:\/\/mvnrepository.com\/artifact\/org.apache.logging.log4j\/log4j-api\/<\/a>
https:\/\/mvnrepository.com\/artifact\/org.apache.logging.log4j\/log4j-slf4j-impl\/<\/a>
https:\/\/mvnrepository.com\/artifact\/org.apache.logging.log4j\/log4j-1.2-api\/<\/a><\/p>\n\n\n\n

To upgrade just log4j, the following script is run … well first<\/em> allocation is disabled:<\/p>\n\n\n

\n# Stuff to stop\/start routing in Kibana\nPOST \/_flush\/synced\n\nPUT \/_cluster\/settings \n{ "transient" : { "cluster.routing.allocation.enable": "none" } }\n\n<\/pre><\/div>\n\n\n
Then the script is run:<\/p>\n\n\n
\nexport l4jver=2.17.0\nsystemctl stop elasticsearch \n\n# Remove old jars\nrm  --interactive=never \/opt\/elk\/elasticsearch\/lib\/log4j-api-*.jar\nrm  --interactive=never \/opt\/elk\/elasticsearch\/lib\/log4j-core-*.jar\nrm  --interactive=never \/opt\/elk\/elasticsearch\/modules\/x-pack-identity-provider\/log4j-slf4j-impl-*.jar\nrm  --interactive=never \/opt\/elk\/elasticsearch\/modules\/x-pack-security\/log4j-slf4j-impl-*.jar\nrm  --interactive=never \/opt\/elk\/elasticsearch\/plugins\/opendistro_security\/log4j-slf4j-impl-*.jar\nrm  --interactive=never \/opt\/elk\/elasticsearch\/modules\/x-pack-core\/log4j-1.2-api-*.jar \nrm  --interactive=never \/opt\/elk\/elasticsearch\/plugins\/repository-s3\/log4j-1.2-api-*.jar \n\n# Copy in upgraded jars\ncp \/tmp\/log4j-api-$l4jver*.jar \/opt\/elk\/elasticsearch\/lib\/\ncp \/tmp\/log4j-core-$l4jver*.jar \/opt\/elk\/elasticsearch\/lib\/\ncp \/tmp\/log4j-slf4j-impl-$l4jver*.jar \/opt\/elk\/elasticsearch\/modules\/x-pack-identity-provider\/\ncp \/tmp\/log4j-slf4j-impl-$l4jver*.jar \/opt\/elk\/elasticsearch\/modules\/x-pack-security\/\ncp \/tmp\/log4j-slf4j-impl-$l4jver*.jar \/opt\/elk\/elasticsearch\/plugins\/opendistro_security\/\ncp \/tmp\/log4j-1.2-api-$l4jver*.jar \/opt\/elk\/elasticsearch\/modules\/x-pack-core\/\ncp \/tmp\/log4j-1.2-api-$l4jver*.jar \/opt\/elk\/elasticsearch\/plugins\/repository-s3\/\n\n# Fix permissions\nchown elkadmin:elkadmin \/opt\/elk\/elasticsearch\/lib\/log4j*\nchown elkadmin:elkadmin \/opt\/elk\/elasticsearch\/modules\/x-pack-core\/log4j*\nchown elkadmin:elkadmin \/opt\/elk\/elasticsearch\/modules\/x-pack-identity-provider\/log4j*\nchown elkadmin:elkadmin \/opt\/elk\/elasticsearch\/modules\/x-pack-security\/log4j*\nchown elkadmin:elkadmin \/opt\/elk\/elasticsearch\/plugins\/repository-s3\/log4j*\nchown elkadmin:elkadmin \/opt\/elk\/elasticsearch\/plugins\/opendistro_security\/log4j*\n\nsystemctl start elasticsearch \n\n# Clean up temp files\nrm \/tmp\/log4j*\n\n<\/pre><\/div>\n\n\n
And finally routing is re-enabled:<\/p>\n\n\n
\nPUT \/_cluster\/settings \n{ "transient" : { "cluster.routing.allocation.enable" : "all" } }\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
We are a little stuck with our ElasticSearch implementation — we need the OpenDistro authentication, so either need to buy newer ElasticSearch or move to OpenSearch. That’s an ongoing project, but it won’t be accomplished in a timely fashion to address these log4j issues. To address the existing Log4J issues in ElasticSearch as well as, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1588],"tags":[1590,1589,2057],"class_list":["post-11218","post","type-post","status-publish","format-standard","hentry","category-elk","tag-elasticsearch","tag-elk","tag-log4j"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11218"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11218\/revisions"}],"predecessor-version":[{"id":11219,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11218\/revisions\/11219"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}