Is Elasticsearch log4j2 vulnerable behind M2? Upgrade to ES 7.16.x?

[robolmos]

From the recent log4j2 vulnerability announcement, it looks like Elasticsearch may also be vulnerable: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Is that still the case when it's running behind Magento?

If so, M2 system requirements page has been showing older versions of ES, like 7.9 and 7.10, which may not receive any security update for this issue.

Is it safe to upgrade to ES 7.16.x if needed?

How's Adobe Commerce Cloud handling this issue? Upgrading ES or manual patching for formatMsgNoLookups=true?

[m2-assistant[bot]]

Hi @robolmos. Thank you for your report. To speed up processing of this issue, make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

  :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[DanielRuf]

According to Elastic they are not vulnerable for log4shell.

See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager, however we are making a fix available for an information leakage attack also associated with this vulnerability. Additional details below.

Generally it makes not much difference if it is running behind Magento 2. In general ES has REST-APIs and is often available on specific ports.

Onlineshops should keep ES and Java updated to mitigate this.

[DanielRuf]

See also all comments at https://github.com/apache/logging-log4j2/pull/608

[freakpol]

So, if we indeed need to have ES updated to mitigate this, should we update to 7.16.x? Whats the deal with the requirement matrix then? For 2.4.2, 2.4.3 it says ES should be 7.9 and for 2.4.4 and 2.4.5 it should be 7.10, so, not sure how to deal with this....

[DanielRuf]

@freakpol did you read the official statement?

https://github.com/magento/magento2/issues/34796#issuecomment-991913539

For 2.4.2, 2.4.3 it says ES should be 7.9 and for 2.4.4 and 2.4.5 it should be 7.10, so, not sure how to deal with this....

Not sure, maybe it is the "least" requirement.

[DanielRuf]

Latest statement (see discussion):

Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager. Most other versions (5.6.11+, 6.4.0+ and 7.0.0+) can be protected via a simple JVM property change. The information leak vulnerability does not permit access to data within the Elasticsearch cluster. We have released Elasticsearch 7.16.1 and 6.8.21 which contain the JVM property by default and remove certain components of Log4j out of an abundance of caution. Additional details below.

[DanielRuf]

See also https://xeraa.net/blog/2021_mitigate-log4j2-log4shell-elasticsearch/

[m2-assistant[bot]]

Hi @engcom-Hotel. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Hotel]

Hello @robolmos,

I have gone through with the Magento's system requirement, it still shows the vulnerable version. It should be updated.

I have also gone through with the below link, it is also suggesting we to upgrade the ES with >= 7.16.1:

See also https://xeraa.net/blog/2021_mitigate-log4j2-log4shell-elasticsearch/

Hence confirming this issue.

Thanks

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-2056 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Hotel. Thank you for verifying the issue.
Issue Available: @engcom-Hotel, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.