Bug 828969

Summary:	<app-misc/elasticsearch-{6.8.21,7.16.1}: bundled vulnerable log4j implementation
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	hydrapolic, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
See Also:	https://github.com/gentoo/gentoo/pull/23293
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	828837

Description Hans de Graaff gentoo-dev

2021-12-12 07:45:26 UTC

$ equery files app-misc/elasticsearch | grep log4j /etc/elasticsearch/log4j2.properties
/usr/share/elasticsearch/lib/log4j-1.2-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar

All log4j 2.x versions below 2.15.0 are vulnerable to log4shell.

We could mitigate this on our side by setting 

-Dlog4j2.formatMsgNoLookups=true

in the jvm.options file while we wait for any upstream information on this.

Comment 1 John Helmert III archtester

2021-12-12 20:12:33 UTC

Thanks for reporting! Note that this doesn't actually seem to be vulnerable to remote code execution according to URL:

"Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager, however we are making a fix available for an information leakage attack also associated with this vulnerability and recommend that all customers apply the configuration."

"Users may upgrade to Elasticsearch 6.8.21 or 7.16.1 once they are released"

Comment 2 Sam James archtester

2021-12-14 01:16:24 UTC

You forgot bug tags ;)

Comment 3 Larry the Git Cow gentoo-dev

2021-12-14 01:19:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b848a75ef98d7d9128c23a41b7c517fbd27853

commit d5b848a75ef98d7d9128c23a41b7c517fbd27853
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-12-13 19:52:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-14 01:16:47 +0000

    app-admin/filebeat: bump to 7.16.1
    
    Bug: https://bugs.gentoo.org/828969
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23293
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/filebeat/Manifest               |  844 ++++++++++++++
 app-admin/filebeat/filebeat-7.16.1.ebuild | 1795 +++++++++++++++++++++++++++++
 2 files changed, 2639 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b54b9cff6247158048f9ab869db4b57052044b30

commit b54b9cff6247158048f9ab869db4b57052044b30
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-12-13 19:47:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-14 01:16:42 +0000

    app-admin/logstash-bin: bump to 6.8.21/7.16.1, drop old
    
    Bug: https://bugs.gentoo.org/828969
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/logstash-bin/Manifest                    | 14 +---
 app-admin/logstash-bin/logstash-bin-6.8.19.ebuild  | 73 ------------------
 ...in-6.8.17.ebuild => logstash-bin-6.8.21.ebuild} |  0
 app-admin/logstash-bin/logstash-bin-7.15.0.ebuild  | 88 ----------------------
 app-admin/logstash-bin/logstash-bin-7.15.1.ebuild  | 88 ----------------------
 ...in-7.13.4.ebuild => logstash-bin-7.16.1.ebuild} |  0
 6 files changed, 4 insertions(+), 259 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d49f5d37b9d90d7daa5f4e9bb87488197e76293

commit 1d49f5d37b9d90d7daa5f4e9bb87488197e76293
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-12-13 19:45:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-14 01:16:36 +0000

    www-apps/kibana-bin: bump to 6.8.21/7.16.1, drop old
    
    Bug: https://bugs.gentoo.org/828969
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/kibana-bin/Manifest                       | 10 +--
 www-apps/kibana-bin/files/kibana.initd-r1          | 11 +--
 www-apps/kibana-bin/kibana-bin-6.8.19.ebuild       | 89 ---------------------
 ...-bin-6.8.17.ebuild => kibana-bin-6.8.21.ebuild} |  0
 www-apps/kibana-bin/kibana-bin-7.13.4.ebuild       | 93 ----------------------
 www-apps/kibana-bin/kibana-bin-7.15.0.ebuild       | 93 ----------------------
 ...-bin-7.15.1.ebuild => kibana-bin-7.16.1.ebuild} |  6 +-
 7 files changed, 7 insertions(+), 295 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc58f8fd31e519dcc5648566e5f84d959b714979

commit cc58f8fd31e519dcc5648566e5f84d959b714979
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-12-13 19:44:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-14 01:16:31 +0000

    app-misc/elasticsearch: bump to 6.8.21/7.16.1, drop old
    
    Bug: https://bugs.gentoo.org/828969
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/elasticsearch/Manifest                    | 10 +--
 app-misc/elasticsearch/elasticsearch-6.8.17.ebuild | 88 ----------------------
 ...h-6.8.19.ebuild => elasticsearch-6.8.21.ebuild} |  0
 app-misc/elasticsearch/elasticsearch-7.13.4.ebuild | 82 --------------------
 app-misc/elasticsearch/elasticsearch-7.15.1.ebuild | 83 --------------------
 ...h-7.15.0.ebuild => elasticsearch-7.16.1.ebuild} |  0
 6 files changed, 3 insertions(+), 260 deletions(-)

Comment 4 John Helmert III archtester

2021-12-15 00:27:15 UTC

Unstable so no GLSA, all done! Thanks all!

Comment 5 Tomáš Mózes 2021-12-15 06:14:05 UTC

(In reply to Sam James from comment #2)
> You forgot bug tags ;)

Sorry I just later realized we had this bug open :(