You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fluo.apache.org by ar...@apache.org on 2022/01/04 17:25:35 UTC

[fluo-muchos] branch main updated: Mitigate Log4Shell issues in ELK stack (#425)

This is an automated email from the ASF dual-hosted git repository.

arvindsh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fluo-muchos.git


The following commit(s) were added to refs/heads/main by this push:
     new 71e54c1  Mitigate Log4Shell issues in ELK stack (#425)
71e54c1 is described below

commit 71e54c1d6b654b9041e481e6a91f3bae21370505
Author: Arvind Shyamsundar <ar...@apache.org>
AuthorDate: Tue Jan 4 09:25:28 2022 -0800

    Mitigate Log4Shell issues in ELK stack (#425)
    
    Fixes #418.
    
    Muchos can be used to deploy an optional `elkserver` role wherein
    OSS versions of the ELK stack are deployed (see #338).
    
    Elasticsearch and Logstash are among the external packages deployed
    when the `elkserver` role is optionally assigned to hosts in muchos.props.
    Both those packages use an older version of log4j2 which is vulnerable
    to the following known issues:
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-44228
    &
    https://nvd.nist.gov/vuln/detail/CVE-2021-45046
    
    ElasticSearch and Logstash and have addressed these
    vulnerabilities in their 7.16.2 releases. However, due to licensing
    issues the last OSS ELK stack version is 7.10.2, which requires the
    removal of the JNDI class for mitigation.
    
    Hence, we mitigate the known vulnerabilities by deleting the JNDI class
    from the older log4j2-core JAR deployed by those external components.
---
 ansible/roles/elasticsearch/tasks/main.yml | 4 ++++
 ansible/roles/logstash/tasks/main.yml      | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/ansible/roles/elasticsearch/tasks/main.yml b/ansible/roles/elasticsearch/tasks/main.yml
index 794c8a0..fca4ef6 100644
--- a/ansible/roles/elasticsearch/tasks/main.yml
+++ b/ansible/roles/elasticsearch/tasks/main.yml
@@ -82,6 +82,10 @@
     enabled: yes
   become: true
 
+- name: remove jndi plugin from log4j jar to mitigate log4shell
+  shell: zip -q -d /usr/share/elasticsearch/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+  become: true
+
 # Restart Elasticsearch
 - name: Start Elasticsearch
   service:
diff --git a/ansible/roles/logstash/tasks/main.yml b/ansible/roles/logstash/tasks/main.yml
index b7777da..d7bebc5 100644
--- a/ansible/roles/logstash/tasks/main.yml
+++ b/ansible/roles/logstash/tasks/main.yml
@@ -37,6 +37,10 @@
     name: /tmp/{{ logstash_rpm }}
     state: present
 
+- name: remove jndi plugin from log4j jar to mitigate log4shell
+  shell: zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+  become: true
+
 # Update startup.option file with the new home location.
 - name: Update the startup.option file
   lineinfile: