$ equery files app-misc/elasticsearch | grep log4j /etc/elasticsearch/log4j2.properties /usr/share/elasticsearch/lib/log4j-1.2-api-2.11.1.jar /usr/share/elasticsearch/lib/log4j-api-2.11.1.jar /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar All log4j 2.x versions below 2.15.0 are vulnerable to log4shell. We could mitigate this on our side by setting -Dlog4j2.formatMsgNoLookups=true in the jvm.options file while we wait for any upstream information on this.
Thanks for reporting! Note that this doesn't actually seem to be vulnerable to remote code execution according to URL: "Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager, however we are making a fix available for an information leakage attack also associated with this vulnerability and recommend that all customers apply the configuration." "Users may upgrade to Elasticsearch 6.8.21 or 7.16.1 once they are released"
You forgot bug tags ;)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b848a75ef98d7d9128c23a41b7c517fbd27853 commit d5b848a75ef98d7d9128c23a41b7c517fbd27853 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-12-13 19:52:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-14 01:16:47 +0000 app-admin/filebeat: bump to 7.16.1 Bug: https://bugs.gentoo.org/828969 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/23293 Signed-off-by: Sam James <sam@gentoo.org> app-admin/filebeat/Manifest | 844 ++++++++++++++ app-admin/filebeat/filebeat-7.16.1.ebuild | 1795 +++++++++++++++++++++++++++++ 2 files changed, 2639 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b54b9cff6247158048f9ab869db4b57052044b30 commit b54b9cff6247158048f9ab869db4b57052044b30 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-12-13 19:47:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-14 01:16:42 +0000 app-admin/logstash-bin: bump to 6.8.21/7.16.1, drop old Bug: https://bugs.gentoo.org/828969 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> app-admin/logstash-bin/Manifest | 14 +--- app-admin/logstash-bin/logstash-bin-6.8.19.ebuild | 73 ------------------ ...in-6.8.17.ebuild => logstash-bin-6.8.21.ebuild} | 0 app-admin/logstash-bin/logstash-bin-7.15.0.ebuild | 88 ---------------------- app-admin/logstash-bin/logstash-bin-7.15.1.ebuild | 88 ---------------------- ...in-7.13.4.ebuild => logstash-bin-7.16.1.ebuild} | 0 6 files changed, 4 insertions(+), 259 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d49f5d37b9d90d7daa5f4e9bb87488197e76293 commit 1d49f5d37b9d90d7daa5f4e9bb87488197e76293 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-12-13 19:45:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-14 01:16:36 +0000 www-apps/kibana-bin: bump to 6.8.21/7.16.1, drop old Bug: https://bugs.gentoo.org/828969 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> www-apps/kibana-bin/Manifest | 10 +-- www-apps/kibana-bin/files/kibana.initd-r1 | 11 +-- www-apps/kibana-bin/kibana-bin-6.8.19.ebuild | 89 --------------------- ...-bin-6.8.17.ebuild => kibana-bin-6.8.21.ebuild} | 0 www-apps/kibana-bin/kibana-bin-7.13.4.ebuild | 93 ---------------------- www-apps/kibana-bin/kibana-bin-7.15.0.ebuild | 93 ---------------------- ...-bin-7.15.1.ebuild => kibana-bin-7.16.1.ebuild} | 6 +- 7 files changed, 7 insertions(+), 295 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc58f8fd31e519dcc5648566e5f84d959b714979 commit cc58f8fd31e519dcc5648566e5f84d959b714979 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-12-13 19:44:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-14 01:16:31 +0000 app-misc/elasticsearch: bump to 6.8.21/7.16.1, drop old Bug: https://bugs.gentoo.org/828969 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> app-misc/elasticsearch/Manifest | 10 +-- app-misc/elasticsearch/elasticsearch-6.8.17.ebuild | 88 ---------------------- ...h-6.8.19.ebuild => elasticsearch-6.8.21.ebuild} | 0 app-misc/elasticsearch/elasticsearch-7.13.4.ebuild | 82 -------------------- app-misc/elasticsearch/elasticsearch-7.15.1.ebuild | 83 -------------------- ...h-7.15.0.ebuild => elasticsearch-7.16.1.ebuild} | 0 6 files changed, 3 insertions(+), 260 deletions(-)
Unstable so no GLSA, all done! Thanks all!
(In reply to Sam James from comment #2) > You forgot bug tags ;) Sorry I just later realized we had this bug open :(
