Submit a ticket My Tickets FYB Software Hub Login
  1. FYB Members Hub
  2. Knowledge Base
  3. Content Manager
  4. Server Configuration

Apache Log4j2 Remote Code Execution (RCE) Vulnerability Affecting Elasticsearch

Aydan Schober
Modified on: Mon, 17 Jan, 2022 at 5:49 PM

Summary

A high severity vulnerability (CVE-2021-44228) impacts multiple versions of the Apache Log4j 2 utility disclosed publicly via the project’s GitHub on December 9, 2021. Two issues have been identified:

  • Elasticsearch versions 6.0.0+ may contain a vulnerable version of the Log4j and are susceptible to remote code execution and an information leak via DNS depending on your current configuration.

How does the vulnerability impact Elasticsearch?

  • Elasticsearch 6 and 7 are not susceptible to remote code execution with this vulnerability due to the use of the Java Security Manager. 
  • Elasticsearch running on JDK8 or below is susceptible to an information leak via DNS, which is fixable by the JVM option identified below. The vulnerability is present if the version is not 6.4+ and 7.0+. The leak does not permit access to data within the Elasticsearch cluster.
  • ElasticSearch versions between 6.0.0 and 6.8.20 require a configuration change to mitigate the vulnerability.
  • Content Manager is not directly affected by the vulnerability.

How does the vulnerability relate to Content Manager?

  • ElasticSearch is only supported from Content Manager Versions 9.2 and above. Prior to Content Manager 9.2, IDOL was used, and you will not be vulnerable. 
  • Content Manager 9.2 and 9.3 require Elasticsearch 6 as a requirement by Micro Focus. This requires a separate JSDK instance to be installed on the server. This JSDK version needs to be checked in the Programs and Features to ensure it is greater than version 8. If the version is 8 or below, one of the solutions below will need to be applied.
  • ElasticSearch 7 includes its own JDK, and as such, it is not affected by either vulnerability. However, ElasticSearch 7 is only compatible with Content Manager 9.4 and above. Anyone below this build will need to ensure the solution is applied.

Solutions

Upgrade (Recommended)

Elasticsearch recommends upgrading as complete mitigation to the vulnerabilities. Use the following guide to determine which version is right for you:

Content Manager VersionUpgrade to Elasticsearch Version
9.2.x or 9.3.x6.8.23+
9.4.x or 10.x7.16.3+

Update

If you are not in a position to upgrade, please complete the following:

  • Add the following JVM option in the jvm.options file:
    -Dlog4j2.formatMsgNoLookups=true

References

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles