echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options; systemctl restart elasticsearch
com.sun.jndi.rmi.object.trustURLCodebase
com.sun.jndi.cosnaming.object.trustURLCodebase
false
. Elasticsearch 7.0 and up has bundled OpenJDK so they should be fine as-is.jvm.options
fixjvm.options
fix won't work in older versions because they use an older version of Log4j)Hello there,
As you may know, a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).
For all organizations using Log4j, they should update to version 2.15.0 as soon as possible. The latest version can be found at the Log4j download page.
Customers subscribing to our paid PRO and BUSINESS plans and using our WAF are automatically receiving help with mitigating this vulnerability.
As a Cloudflare FREE user, it is important to us that your site is protected from high severity vulnerabilities. For this reason we are actively deploying mitigation rules on your zones to block any malicious exploit attempts. No action is required from you to turn the new rules on.
For more information please see our blog.
The Cloudflare Team
Log4j developer commentsFor those who are looking for a JRE/JDK version to mitigate the problem, please don't! CVE-2021-44228 creates a large attack surface depending on the imagination of the attacker and an RCE is just one of them. I would strongly advise you to avoid having a false conclusion by relying on a JVM feature targeting a certain attack vector; there are more vectors. Simply either bump log4j-core to 2.15.0 or set log4j2.formatMsgNoLookups=true system property.
logger.log("{} foo", "bad string");
logger.log("bad string" + " foo");
If you are using log4j v2.10 or above...set the property log4j2.formatMsgNoLookups=true
Just to complicate things for you guys, https://www.elastic.co/downloads/past-releases/elasticsearch-5-6-16 which one of our servers is running includes 2.11.1. Not sure at which version the 5 series started including 2.11.1Elasticsearch 6.3 includes Log4j 2.9.1.
You can see that here:
Elasticsearch 6.3.0
www.elastic.co
2.11.1 isn't included until 6.4.0:
Elasticsearch 6.4.0
www.elastic.co
Workaround for Elasticsearch 6.4 and above
You are able to control the behaviour of Log4j via the/etc/elasticsearch/jvm.options
file. Notably, the current recommendation is to add the following line to the end of that file:
Code:-Dlog4j2.formatMsgNoLookups=true
You'll then want to restart the elasticsearch server service for that change to take effect.
We use essential cookies to make this site work, and optional cookies to enhance your experience.