ReadonlyREST plugin does NOT ship with log4j at all, nothing to fix in the plugin, so focus on securing Elasticsearch itself. Here is how:
Although recent Elasticsearch versions are not vulnerable to these vulnerabilities, so in most cases it’s not critical to update Elasticsearch immediately.
However, to be extra sure, there are two easy steps to go the extra mile and disable/remove the affected code:
- CVE-2021-44228 (RCE) mitigation: make sure Elasticsearch is running with this JVM option:
CVE-2021-45056 (DoS) mitigation
You can delete the the class “JndiLookup.class” from the log4j-core jar with this command:
zip -q -d lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`
Do not forget to apply the fixes to all nodes and RESTART all of them.
NB: The new versions of Elasticsearch released on Monday (7.16.1 and 6.8.21) ship with a patched version of the old (vulnerable) log4j-core jar (this might still trigger some automatic security alerts, but it’s safe).
IMPACT AND RECOMMENDED ACTIONS
Read the analysis from Elastic
Read and apply the “Quick fixes” section above in this post
In a second instance, plan a well organised upgrade to Elasticsearch >= 7.16.1, or >= 6.8.21
We have strive to deliver a compatible ReadonlyREST plugin for the newes Elasticsearch version as soon as they get released. So check our download page often.
Remember this vulnerability does NOT affect Kibana and its plugins, so let’s focus on Elasticsearch first.
Remember to take care of Logstash and other java based components as well (see the usual Elastic forum announcement)
Please follow this thread for updates and comments.