Check for log4shell vulnerability

[danka74]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 https://logging.apache.org/log4j/2.x/security.html

[kaicode]

I confirm that affected log4j library versions are being used. Log4j library versions within the affected range (>=2.0-beta9 and <=2.14.1) are being pulled in via the transitive dependencies:

org.elasticsearch:elasticsearch:jar:7.7.0
\- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

org.springframework.boot:spring-boot-starter-actuator:jar:2.3.3.RELEASE:compile
\- org.springframework.boot:spring-boot-starter-logging:jar:2.3.3.RELEASE:compile
  \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile

[danka74]

I added -Dlog4j2.formatMsgNoLookups=true to elasticsearch and snowstorm in docker-compose.yml while things are being updated.

...
     - "ES_JAVA_OPTS=-Xms4g -Xmx4g -Dlog4j2.formatMsgNoLookups=true"
...
  entrypoint: java -Xms2g -Xmx4g -Dlog4j2.formatMsgNoLookups=true 
....

[BadRecordLength]

Hi, looking through the related commit - it seems that the Log4J version has been updated to 2.15.0, however this blog post by Elastic indicates that the 2.15.0 patch also has vulnerabilities and that the 2.17.0 version is required to fully address the issue. Please can the dependencies be updated to address this?

[kaicode]

Well spotted. We are using 2.17.0 in the develop branch now, this will be part of the next release. Thanks for pointing this out.

[BadRecordLength]

Well spotted. We are using 2.17.0 in the develop branch now, this will be part of the next release. Thanks for pointing this out.

Brilliant, thanks very much. Is there currently an ETA on the next release?

[kaicode]

The next release will be out before the end of January.