Log4j zero-day

[sherzinger]

This zero-day allows for RCE and has highest priority. It probably affects all Ada instances either via elasticsearch or even itself if log4j is used.

https://www.lunasec.io/docs/blog/log4j-zero-day/

[sherzinger]

Somewhat mitigated by the fact that Ada uses logback (thanks @LBolzani) and the fact that ES probably does only contain admin provided data, so no RCE possible unless by admins, which are already mostly trusted.

[sherzinger]

@LBolzani do you have an update? Is my assumption correct that no user provided data are stored in ES?

[LBolzani]

Good morning @sherzinger I didn't find any admin provided data in ES. I would like to introduce this update in elastic search configuration, like they highlight in their advisory post:

• https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

I did yet in test env, I didn’t encounter any issues.

Briefly they recommend this:

Affected Versions:

Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. Elasticsearch 5 is susceptible to both remote code execution and an information leak via DNS. We’ve confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7.

Solutions and Mitigations:

The simplest remediation is to set the JVM option 4.0k -Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster. For Elasticsearch 5.6.11+, 6.4+, and 7.0+, this provides full protection against the RCE and information leak attacks

[sherzinger]

Perfect, let's do that :-) I'm downgrading priority since we don't seem to be directly impacted, so this can wait for the next roll out.