IBM Support

Guidance for Log4j in regards to ElasticSearch in IBM Security SOAR

Troubleshooting


Problem

CVE-2021-44228

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Resolving The Problem

Update: December 21, 2021

  • Added instructions to remove JndiLookup.class
  • Added hot fixed versions
  • Provided guidance for client who do not want to upgrade to the hot fixed versions
  • Clarification on DR systems with new JndiLookup.class instructions

In light of Elastic's update we recommend the following mitigation on the Resilient/SOAR appliance console:

Resilient/SOAR versions 40 and above:
Please upgrade immediately to v40.2.81, v41.2.41, v42.2.41 or v43.0.7662.

If an upgrade is not feasible, from the Resilient/SOAR appliance console:

sudo bash -c 'echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options'

sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;

sudo systemctl restart elasticsearch

Note: This will make the recommended change from Elasticsearch & restart the Resilient service.

Resilient/SOAR versions 39 and below:
From the Resilient/SOAR appliance console:

sudo bash -c 'echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options'

sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;

sudo systemctl restart elasticsearch

Note: This will make the recommended change from Elasticsearch & restart the resilient service.

Note: Manual commands ran from the appliance console will be undone if you upgrade to versions other than the hot fixes or higher. For example, upgrading from v40.0.6556 (a manually patched version) to v40.1.51 (an unpatched version), requires the commands to be run again.

App Host
No change is needed for App Host.

Resilient/SOAR DR systems

Please upgrade immediately to v40.2.81, v41.2.41, v42.2.41 or v43.0.7662.

If an upgrade is not feasible, from the master Resilient/SOAR appliance console:

sudo bash -c 'echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options'

sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;

sudo systemctl restart elasticsearch

Note: This will make the recommended change from Elasticsearch & restart the Resilient service.

From the receiver Resilient/SOAR appliance console:

sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;

The resilient-filesync service will copy /etc/elasticsearch/jvm.options to the receiver.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cw4bAAA","label":"Resilient Core"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
05 January 2022

UID

ibm16526222

Page Feedback