Log4j zero-day exploit CVE-2021-44228 ELK/Logstash CentOS

Hello,

If you read this, you are probably aware that there is a hue security flaw in the current log4j < 2.15 implementation that can lead to code execution on your server, see https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/ for a full story.

This post is about how to configure Elastic Search (ELK) and Logstash on your CentOS 8 system to avoid this so you don’t have to search.

vim /etc/logstash/jvm.options
# CVE-2021-44228
-Dlog4j2.formatMsgNoLookups=True
systemctl restart logstash

vim /etc/elasticsearch/jvm.options
# CVE-2021-44228
-Dlog4j2.formatMsgNoLookups=True
systemctl restart elasticsearch

Do this for every service that uses log4j. Solr is also affected for example, the pattern is to find the file (usually jvm.options in Apache products) that permits you ti add this JVM option to your service startup command line.

Hope this helps

Add your feedback

Your email address will not be published.