Closed arvindshmicrosoft closed 2 years ago
keith-turner
commented
2 years ago I was unaware of a licensing change around ELK stack. After seeing this PR I looked into it and I have been reading : https://www.elastic.co/pricing/faq/licensing#summary-of-licensing-change . Am I looking in the correct direction? Is there anything additional specific to Apache worth looking at?
arvindshmicrosoft
commented
2 years ago I was unaware of a licensing change around ELK stack. After seeing this PR I looked into it and I have been reading : https://www.elastic.co/pricing/faq/licensing#summary-of-licensing-change . Am I looking in the correct direction? Is there anything additional specific to Apache worth looking at?
Correct, this was a learning for me as well. 7.10.2 is the last released "OSS" (i.e. Apache 2.0 licensed) version from them.
Fixes #418.
Muchos can be used to deploy an optional
elkserverrole wherein OSS versions of the ELK stack are deployed (see #338).Elasticsearch and Logstash are among the external packages deployed when the
elkserverrole is optionally assigned to hosts in muchos.props. Both those packages use an older version of log4j2 which is vulnerable to the following known issues:https://nvd.nist.gov/vuln/detail/CVE-2021-44228 & https://nvd.nist.gov/vuln/detail/CVE-2021-45046
ElasticSearch and Logstash and have addressed these vulnerabilities in their 7.16.2 releases. However, due to licensing issues the last OSS ELK stack version is 7.10.2, which requires the removal of the JNDI class for mitigation.
Hence, we mitigate the known vulnerabilities by deleting the JNDI class from the older log4j2-core JAR deployed by those external components.