Important: Elasticsearch and Logstash security updates
Security Advisory: Important
An update for Logstash and Elasticsearch is now available for NetEye 4.20 and 4.21.
NetEye Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Elasticsearch is a distributed, RESTful search and analytics engine. Logstash is a dynamic data collection and transformation pipeline with an extensible plugin ecosystem. Both are the core components of the NetEye 4 APM, Log and SIEM modules.
Elasticsearch and Logstash rely on the Log4j2 library for writing their logs.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
After installing the updated packages, the elasticsearch and logstash daemons will be restarted automatically.
-Dlog4j2.formatMsgNoLookups=true directive to the bottom of both the
Remove the jndiLookup class from the log4j jar package used by logstash by executing the following command:
zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
If you are running a NetEye cluster, ensure you perform these steps on every cluster node.
Finally, restart both the logstash and elasticsearch instances.
All NetEye 4.x versions prior to and including 4.21.