Upgrade the Log4j version of Elasticsearch
in Note with 0 comment
Elasticsearch log4j Bug fix
Upgrade the Log4j version of Elasticsearch
in Note with 0 comment

Elasticsearch log4j Bug fix

background

On December 10, 2021, the first remote code execution vulnerability in the Apache Java module Log4j library was publicly disclosed, which was identified as CVE-2021-44228. In addition, the vulnerabilities CVE-2021-45046 and CVE-2021-45105 were disclosed successively. This vulnerability has a great impact, so we need to repair the services that use this module. Here we record the module for repairing Elasticsearch, based on version 6.2.4.

Repair process

It is mainly aimed at repairing Elasticsearch by upgrading the version of log4j, which has been upgraded three times.

The first upgrade is 2.15.0

 cd /tmp && wget  https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz mv /usr/share/elasticsearch/lib/log4j-core-2*.jar /tmp && \ mv /usr/share/elasticsearch/lib/log4j-api-2*.jar /tmp && \ mv /usr/share/elasticsearch/lib/log4j-1.2-api-2*.jar /tmp && \ tar -zxf apache-log4j-2.15.0-bin.tar.gz && \ cd /tmp/apache-log4j-2.15.0-bin/ && \ cp log4j-core-2.15.0.jar /usr/share/elasticsearch/lib/ && \ cp log4j-api-2.15.0.jar /usr/share/elasticsearch/lib/ && \ cp log4j-1.2-api-2.15.0.jar /usr/share/elasticsearch/lib/ && \ ls /usr/share/elasticsearch/lib/ | grep 'log4j' && \ echo 'replaced log4j with new jars, restarting ES now...' &&\ sudo systemctl restart elasticsearch && \ sleep 2 && \ watch -n 2 'sudo systemctl status elasticsearch | grep ago'

Later, two more upgrades were made, 2.16.0 and 2.17.0, respectively. We simply wrote a script to execute them.

Script

 #!/ bin/bash # Set log4j version log4j_version="2.17.0" # Download log4j cd /tmp && wget  https://archive.apache.org/dist/logging/log4j/ ${log4j_version}/apache-log4j-$ {log4j_version}-bin.tar.gz # Move existing log4j jars to temporary location mv /usr/share/elasticsearch/lib/log4j-core-2*.jar /tmp && \ mv /usr/share/elasticsearch/lib/log4j-api-2*.jar /tmp && \ mv /usr/share/elasticsearch/lib/log4j-1.2-api-2*.jar /tmp && \ # Extract and copy new log4j jars to Elasticsearch lib tar -zxf apache-log4j-$ {log4j_version}-bin.tar.gz  && \ cd /tmp/apache-log4j-$ {log4j_version}-bin / && \ cp log4j-core-${log4j_version}.jar /usr/share/elasticsearch/lib/ && \ cp log4j-api-${log4j_version}.jar /usr/share/elasticsearch/lib/ && \ cp log4j-1.2-api-${log4j_version}.jar /usr/share/elasticsearch/lib/ && \ # Check new log4j jars are in place ls /usr/share/elasticsearch/lib/ | grep 'log4j' && \ # Restart Elasticsearch echo 'replaced log4j with new jars, restarting ES now...' &&\ sudo systemctl restart elasticsearch && \ sleep 2 && \ # Monitor Elasticsearch status watch -n 2 'sudo systemctl status elasticsearch | grep ago'

reference resources

Log4J vulnerability event review

This article is written by Chakhsu Lau Creation, adoption Knowledge Sharing Attribution 4.0 International License Agreement.
All articles on this website are original or translated by this website, except for the reprint/source. Please sign your name before reprinting.

Responses