bernd
commented
2 years ago @Andreik8s We will release a new stable version tomorrow that includes Log4j 2.17.1 for Graylog 4.2 and 4.1.
Closed Andreik8s closed 2 years ago
bernd
commented
2 years ago @Andreik8s We will release a new stable version tomorrow that includes Log4j 2.17.1 for Graylog 4.2 and 4.1.
atc0005
commented
2 years ago @bernd Any plans to support versions of Elasticsearch newer than 7.10? Based on their blog post and 7.10 documentation, it doesn't appear that Elastic.co will release fixes for the 7.10 series:
atc0005
commented
2 years ago @bernd Any plans to support versions of Elasticsearch newer than 7.10? Based on their blog post and 7.10 documentation, it doesn't appear that Elastic.co will release fixes for the 7.10 series:
To respond to my question:
https://github.com/Graylog2/graylog2-server/issues/11804
Apologies, I missed that existing issue.
Hi
This commit does not fix the vulnerabilty https://github.com/Graylog2/graylog-docker/commit/82fec0094bc98aedd59e5f6538d819178ff77056
From: https://logging.apache.org/log4j/2.x/security.html
A new CVE (CVE-2021-45046, see above) was raised for this.
Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.
The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.
The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.
I have used latest docker image 4.2/4.2.4 and got cryptominer inside the running container. Please upgrade log4j to the latest version!