14. 12. 2021 Luca Franzoi Bug Fixes, NetEye

NetEye 3 Logstash and Elasticsearch – Security Advisory

Synopsis

Important: Elasticsearch and Logstash security mitigation

Type/Severity

Security Advisory: Important

Topic

A mitigation for Logstash and Elasticsearch is now available for NetEye 3.

NetEye Product Security has rated this mitigation as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Affected Products

NetEye 3.x systems with log4j 2.x installed.
To check if your system is affected, run the following command and check if a non-empty result is returned:

updatedb
locate log4j-core-2

Description

Elasticsearch is a distributed, RESTful search and analytics engine. Logstash is a dynamic data collection and transformation pipeline with an extensible plugin ecosystem. Both are the core components of the NetEye 3.

Elasticsearch and Logstash rely on the Log4j2 library for writing their logs.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Solution

Remove the jndiLookup class from the log4j jar package used by logstash and elasticsearch by executing the following commands:

zip -q -d /opt/logstash/logstash-core/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

zip -q -d /usr/share/elasticsearch/lib/log4j-core-2.7.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

If you are running a NetEye cluster, ensure you perform these steps on every cluster node.
Also remember to freeze the neteye cluster service (clusvcadm -Z neteye) before restarting, and to re-enable it after services are fully restarted (clusvcadm -U neteye).

Finally, restart both the logstash and elasticsearch instances.

/etc/init.d/elasticsearch restart
/etc/init.d/logstash restart

Fixes

CVEs

References

Luca Franzoi

Luca Franzoi

Service & Support Engineer at Würth Phoenix

Author

Luca Franzoi

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive