Home > Blockchain >  Elasticsearch 5.6.16 patch log4j with 2.16
Elasticsearch 5.6.16 patch log4j with 2.16

Time:12-16

Because of the log4j vulnerability I'm in the need to patch a elasticsearch 5.6.16 instance that I cannot immediately update.

The docker image uses:

  • /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
  • /usr/share/elasticsearch/log4j-core-2.11.1.jar

Can elasticsearch 5.6.16 work with log4j-core-2.16?

And is it the correct way to replace both with the core jar that can be found here https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/ ?

CodePudding user response:

According to the official security announcement, if you're running on 5.6.16 you don't need to upgrade Log4J but simply set the following JVM option

-Dlog4j2.formatMsgNoLookups=true

As an additional mitigation, you can also remove the JndiLookup class from the log4j JAR using:

zip -q -d <ES_HOME>/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Related