PSA: Potential security vulnerability in Elasticsearch 5+ via Apache Log4j (Log4Shell)

It has come to our attention today that a vulnerability has been discovered in popular Java logging library Log4j 2 which may allow attackers to arbitrarily execute code (remote code execution).

Apache Log4j 2 is bundled with and used in many Java applications including Elasticsearch.

XenForo itself is not directly exploitable, and we are currently investigating whether XenForo Enhanced Search can be used as a vector at all, but this is potentially significant enough that an abundance of caution is sensible.

You can read more about the vulnerability here:

The specifics of how to workaround this and whether you are affected are surprisingly complicated and if you have other software that uses Log4j the workarounds and considerations will likely be different. The following primarily pertains to Elasticsearch only for the most part.

Workaround for Elasticsearch 6.4 and above​

You are able to control the behaviour of Log4j via the /etc/elasticsearch/jvm.options file. Notably, the current recommendation is to add the following line to the end of that file:

Code:
-Dlog4j2.formatMsgNoLookups=true

You'll then want to restart the elasticsearch server service for that change to take effect.

If you are using Elasticsearch version 5.0-6.3 please upgrade​

If you are using Elasticsearch version 5.0-6.3 this may include an older version of Log4j which means the above workaround will not work. Upgrading to a newer version is likely preferable than other workarounds to cater for the older versions. XenForo Enhanced Search supports the latest versions of Elasticsearch.

While not something that will entirely mitigate the issue, we also recommend ensuring Java JDK is up-to-date and configured correctly.

Please watch this thread with email notifications enabled. If we have any further information we'll add it in new posts in this thread.
 
Last edited by a moderator:
Top Bottom