0day vulnerability in log4j / elasticsearch

pelias / docker

Run the Pelias geocoder in docker containers, including example projects.

MIT License

315 stars 218 forks source link

0day vulnerability in log4j / elasticsearch #273

Closed hermitdemschoenenleben closed 2 years ago

hermitdemschoenenleben commented 2 years ago

Elasticsearch just released the 7.16.1 docker image with fixes for the 0day vulnerability in log4j. While elasticsearch officially claims that the bug is not exploitable in elasticsearch, some people state that this is not true. Anyway, I think to be on the safe side it would make sense to upgrade to 7.16.1 of elasticsearch. Do you know of any incompatibilities that may arise when upgrading from 7.5.1 that pelias/docker uses?

missinglink commented 2 years ago

We're tracking this issue in https://github.com/pelias/pelias/issues/921, as you mentioned it's unlikely that the current ES version is vulnerable but we're looking to upgrade anyway.

orangejulius commented 2 years ago

Absolutely. While it does look like recent versions of Elasticsearch 7 include newer JVMs that prevent most or all of the damage from log4j, there's no reason to risk it.

https://github.com/pelias/docker/pull/275 upgrades the default Elasticsearch image used by all the Docker projects.