CVE-2021-44228 was a very serious problem end of 2021, and we are still finding new occurrences, or security teams scan servers and find vulnerable log4j files. Don’t get me wrong most of these occurrences are not vulnerable any more, because the JVM is hardened like in the Elasticsearch 7 containers, or they use of the JVM parameter -Dlog4j2.formatMsgNoLookups=true
.
A good summary and explanation can be found in Mitigate Log4j / Log4Shell in Elasticsearch (CVE-2021-44228) and Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 . So some versions of Elasticsearch 7 are using the vulnerable library, but are not vulnerable and provide the RCE, because the official Elasticsearch images are using the Java Security Manager and the images from HCL are on Java 11 which is not vulnerable for RCE and information leakage with Log4Shell.
bash-5.0# java -version
openjdk version "11.0.9" 2020-10-20
OpenJDK Runtime Environment (build 11.0.9+11-alpine-r0)
OpenJDK 64-Bit Server VM (build 11.0.9+11-alpine-r0, mixed mode)
So the Security Bulletin: Apache Log4j 2 Vulnerability in Elasticsearch distributed in HCL Connections Component Pack(CVE-2021-44228) is not wrong when it tells us, that Connections 7 is not vulnerable for the log4shell CVE, but Componentpack 7.0.0.2 is using Elasticsearch 7.10.1 and this is distributed with log4j < 2.17.0.
I tried to find an update in the knowledge base, but couldn’t find more as the mentioned security bulletin. So I opened a case and first I got told that the image is not vulnerable, and no updates are available, but I asked for updated images because the security team at my customer does not accept this.
Yesterday I got the following answer:
ES7 was not affected, however, out of an abundance of caution they did merge log4j 2.17.0 into their ES7 image so we have done the same. The existing log4j on our ES7 docker image has been deleted and replaced with 2.17.0.
The latest ES7 image which includes the updated log4j 2.17.0 is available on Flexnet. Below is the link to Connections 7 downloads: https://hclsoftware.flexnetoperations.com/flexnet/operationsportal/entitledDownloadFile.action?downloadPkgId=HCL_Connections_7.0&orgId=HCL
The customer should download the following:
ReadMe which includes instructions to load and register the new ES7 docker image along w/ the image and helm chart: ReadMe for the Elastic Search 7 update for HCL Connection Component Pack 3.28KB May 20, 2022 elasticsearch720220310-143242-ReadMe.txt
This package contains an update for Elastic Search 7 for HCL Connections Component Pack v7.0.0.x and v7.0.0.2 560.03MB May 02, 2022 elasticsearch720220310-143242.tgz
This package contains an updated helm chart for Elastic Search 7 for HCL Connections Component Pack v7.0.0.x and v7.0.0.2 38.6KB May 02, 2022 elasticsearch7-0.1.0-20220310-143242.tgz
The images to update Elasticsearch 7 are availble since May on Flexnet!
As this is nowhere documented, I asked for an updated knowledge base article and post it here, so you can update your environment too. Main advantage of the image update: no more questions why your software is staying with old and vulnerable libraries.