Because of the log4j vulnerability I'm in the need to patch a elasticsearch 5.6.16 instance that I cannot immediately update.
The docker image uses:
- /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
- /usr/share/elasticsearch/log4j-core-2.11.1.jar
Can elasticsearch 5.6.16 work with log4j-core-2.16?
And is it the correct way to replace both with the core jar that can be found here https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/ ?
CodePudding user response:
According to the official security announcement, if you're running on 5.6.16 you don't need to upgrade Log4J but simply set the following JVM option
-Dlog4j2.formatMsgNoLookups=true
As an additional mitigation, you can also remove the JndiLookup
class from the log4j JAR using:
zip -q -d <ES_HOME>/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class