Closed sherzinger closed 2 years ago
Somewhat mitigated by the fact that Ada uses logback (thanks @LBolzani) and the fact that ES probably does only contain admin provided data, so no RCE possible unless by admins, which are already mostly trusted.
@LBolzani do you have an update? Is my assumption correct that no user provided data are stored in ES?
Good morning @sherzinger I didn't find any admin provided data in ES. I would like to introduce this update in elastic search configuration, like they highlight in their advisory post:
I did yet in test env, I didn’t encounter any issues.
Briefly they recommend this:
Affected Versions:
Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. Elasticsearch 5 is susceptible to both remote code execution and an information leak via DNS. We’ve confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7.
Solutions and Mitigations:
The simplest remediation is to set the JVM option 4.0k -Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster. For Elasticsearch 5.6.11+, 6.4+, and 7.0+, this provides full protection against the RCE and information leak attacks
Perfect, let's do that :-) I'm downgrading priority since we don't seem to be directly impacted, so this can wait for the next roll out.
This zero-day allows for RCE and has highest priority. It probably affects all Ada instances either via elasticsearch or even itself if log4j is used.
https://www.lunasec.io/docs/blog/log4j-zero-day/