ReadonlyREST plugin does NOT ship with log4j at all, nothing to fix in the plugin, so focus on securing Elasticsearch itself. Here is how:
Quick fixes
Although recent Elasticsearch versions are not vulnerable to these vulnerabilities, so in most cases it’s not critical to update Elasticsearch immediately.
However, to be extra sure, there are two easy steps to go the extra mile and disable/remove the affected code:
CVE-2021-44228 (RCE) mitigation: make sure Elasticsearch is running with this JVM option:
-Dlog4j2.formatMsgNoLookups=true
CVE-2021-45056 (DoS) mitigation
You can delete the the class “JndiLookup.class” from the log4j-core jar with this command:
zip -q -d lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`
Do not forget to apply the fixes to all nodes and RESTART all of them.
NB: The new versions of Elasticsearch released on Monday (7.16.1 and 6.8.21) ship with a patched version of the old (vulnerable) log4j-core jar (this might still trigger some automatic security alerts, but it’s safe).
Read and apply the “Quick fixes” section above in this post
In a second instance, plan a well organised upgrade to Elasticsearch >= 7.16.1, or >= 6.8.21
We have strive to deliver a compatible ReadonlyREST plugin for the newes Elasticsearch version as soon as they get released. So check our download page often.
Remember this vulnerability does NOT affect Kibana and its plugins, so let’s focus on Elasticsearch first.
Remember to take care of Logstash and other java based components as well (see the usual Elastic forum announcement)
No update of Elasticsearch (ES) available yet (current 7.16.1 does not meet it), hopefully support of ReadonlyREST (ROR) of upcoming ES will be also availbale at some moment.
Users may upgrade to Elasticsearch 7.16.1 or 6.8.21, which were released on December 13, 2021. These releases do not upgrade the Log4j package, but mitigate the vulnerability by setting the JVM option -Dlog4j2.formatMsgNoLookups=true and remove the vulnerable JndiLookup class from the Log4j package.
This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
So I understand that the latest ES does mitigate also CVE-2021-45046 because they deleted the JndiLookup.class file in the old log4j-core jar (security alerts might still be triggered though).
"We are pleased to announce new versions of Elasticsearch and Logstash, 7.16.2 and 6.8.22, to upgrade to the latest release of Apache Log4j and address false positive concerns with some vulnerability scanners. "
We’ll start working on supporting the new releases today.
Apache Log4j2 Remote Code Execution (RCE) Vulnerability
ReadonlyREST plugin does NOT ship with log4j at all, nothing to fix in the plugin, so focus on securing Elasticsearch itself. Here is how:
CVE-2021-44228 (RCE) mitigation: make sure Elasticsearch is running with this JVM option:
Do not forget to apply the fixes to all nodes and RESTART all of them.
Elasticsearch
Kibana Free/PRO/Enterprise (CI/CD in progress, ETA: 15 Jan)