Troubleshooting
Problem
CVE-2021-44228
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Resolving The Problem
Update: December 21, 2021
- Added instructions to remove JndiLookup.class
- Added hot fixed versions
- Provided guidance for client who do not want to upgrade to the hot fixed versions
- Clarification on DR systems with new JndiLookup.class instructions
In light of Elastic's update we recommend the following mitigation on the Resilient/SOAR appliance console:
Resilient/SOAR versions 40 and above:
Please upgrade immediately to v40.2.81, v41.2.41, v42.2.41 or v43.0.7662.
If an upgrade is not feasible, from the Resilient/SOAR appliance console:
sudo bash -c 'echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options'
sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;
sudo systemctl restart elasticsearch
Note: This will make the recommended change from Elasticsearch & restart the Resilient service.
Resilient/SOAR versions 39 and below:
From the Resilient/SOAR appliance console:
sudo bash -c 'echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options'
sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;
sudo systemctl restart elasticsearch
Note: This will make the recommended change from Elasticsearch & restart the resilient service.
Note: Manual commands ran from the appliance console will be undone if you upgrade to versions other than the hot fixes or higher. For example, upgrading from v40.0.6556 (a manually patched version) to v40.1.51 (an unpatched version), requires the commands to be run again.
App Host
No change is needed for App Host.
Resilient/SOAR DR systems
Please upgrade immediately to v40.2.81, v41.2.41, v42.2.41 or v43.0.7662.
If an upgrade is not feasible, from the master Resilient/SOAR appliance console:
sudo bash -c 'echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options'
sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;
sudo systemctl restart elasticsearch
Note: This will make the recommended change from Elasticsearch & restart the Resilient service.
From the receiver Resilient/SOAR appliance console:
sudo find /usr/share/elasticsearch/lib/log4j-core-*.jar -type f -name "*.jar" -exec sh -c "zipinfo -1 {} | grep JndiLookup.class > /dev/null && zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class" \;
The resilient-filesync service will copy /etc/elasticsearch/jvm.options to the receiver.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
05 January 2022
UID
ibm16526222