High severity vulnerability (CVE-2021-44228) impact on RoR

:red_square: Apache Log4j2 Remote Code Execution (RCE) Vulnerability

:unicorn: ReadonlyREST plugin does NOT ship with log4j at all, nothing to fix in the plugin, so focus on securing Elasticsearch itself. Here is how:

Quick fixes

Although recent Elasticsearch versions are not vulnerable to these vulnerabilities, so in most cases it’s not critical to update Elasticsearch immediately.

However, to be extra sure, there are two easy steps to go the extra mile and disable/remove the affected code:

  • :white_check_mark: CVE-2021-44228 (RCE) mitigation: make sure Elasticsearch is running with this JVM option:
  • :white_check_mark: CVE-2021-45056 (DoS) mitigation
    You can delete the the class “JndiLookup.class” from the log4j-core jar with this command:
zip -q -d lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`  

:bangbang: Do not forget to apply the fixes to all nodes and RESTART all of them.

NB: The new versions of Elasticsearch released on Monday (7.16.1 and 6.8.21) ship with a patched version of the old (vulnerable) log4j-core jar (this might still trigger some automatic security alerts, but it’s safe).


  1. Read the analysis from Elastic

  2. Read and apply the “Quick fixes” section above in this post

  3. In a second instance, plan a well organised upgrade to Elasticsearch >= 7.16.1, or >= 6.8.21

  4. We have strive to deliver a compatible ReadonlyREST plugin for the newes Elasticsearch version as soon as they get released. So check our download page often.

  5. Remember this vulnerability does NOT affect Kibana and its plugins, so let’s focus on Elasticsearch first.

  6. Remember to take care of Logstash and other java based components as well (see the usual Elastic forum announcement)

  7. Please follow this thread for updates and comments.


We have released ROR plugin 1.37.0, now supporting 7.16.1 and 6.8.21 versions of Elasticsearch.

The downloads are available as usual on our website.

We might understand also about CVE-2021-45046

No update of Elasticsearch (ES) available yet (current 7.16.1 does not meet it), hopefully support of ReadonlyREST (ROR) of upcoming ES will be also availbale at some moment.

1 Like

I read in Elastic forum:

Users may upgrade to Elasticsearch 7.16.1 or 6.8.21, which were released on December 13, 2021. These releases do not upgrade the Log4j package, but mitigate the vulnerability by setting the JVM option -Dlog4j2.formatMsgNoLookups=true and remove the vulnerable JndiLookup class from the Log4j package.

And in the CVE-2021-45046 link you provided:

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

So I understand that the latest ES does mitigate also CVE-2021-45046 because they deleted the JndiLookup.class file in the old log4j-core jar (security alerts might still be triggered though).

Elastic has announced the following:

"We are pleased to announce new versions of Elasticsearch and Logstash, 7.16.2 and 6.8.22, to upgrade to the latest release of Apache Log4j and address false positive concerns with some vulnerability scanners. "

We’ll start working on supporting the new releases today.

1 Like

Now, ES ROR 1.37.0 officially supports ES 7.16.2 and ES 6.8.22.

1 Like

Added now support for Kibana 7.16.2, and 6.8.22 as well! :rainbow:

1 Like

A new vulnerability CVE - CVE-2021-44832 was reported today about Log4J.

The fix from Log4J team should be released later today 29 December 2021 as part of the 2.17.1 release. Currently the latest Elasticsearch uses 2.17.0.

  • [2021-12-29T16:36:12Z] A thread has been created in Elastic discussion forum about it, no comments yet.

In a few days we’ll see Elasticsearch 7.16.3 released with the fix. :partying_face:

(from Elastic forum)

ES 7.16.3 released Jan 13, 2022, Elasticsearch version 7.16.3 | Elasticsearch Guide [7.16] | Elastic

Looking for confirmation, that ROR 1.37.0 or some next version confirmes to support it.

ROR plugins ES 7.16.3 support status update

:gear:Kibana Free/PRO/Enterprise (CI/CD in progress, ETA: 15 Jan)

ROR plugins ES 7.16.3 and 6.8.23 support status update

:white_check_mark: Elasticsearch plugin
:white_check_mark: Free/PRO/Enterprise Kibana plugins

Available at the usual download page :+1:

1 Like