Hi,
I upgraded from version 4.2.3 to 4.2.4, but despite this the vulnerability has not been resolved.
I still have version 2.11.1 of the libraries on my server, they are not updated to version 2.16.0.
Shouldn’t the version be updated? or did I get it wrong?
A scan with Nessus also detects the vulnerability as unresolved
in the / usr / share / elasticsearch / lib folder I still have the old libraries:
log4j-api-2.11.1.jar
And
log4j-core-2.11.1.jar
Graylog is a component of a three product stack - Graylog, Elasticsearch and MongoDB. The Elasticsearch and MongoDB products are not maintained by us, and these services are updated seperately to the Graylog product.
We’ve published a documentation page to advise you on tackling this vulnerability across the stack here:
Thanks for your answer
I am aware that these are three separate stacks, but I figured that upgrading the version could also cause the version upgrade of the vulnerable Apache libraries.
Surely I misunderstood me and the words “Fix log4j CVE-2021-45046 by updating the library to 2.16.0” means that I have to be the one to do it and that it does not happen automatically with system and package updates from their repositories at new releases
Not having manually installed these libraries, but being the consequence of installing Elasticsearch as per the procedure reported on your portal, I imagined that the update procedure would lead to something else
By packages I mean those of:
Graylog
Elasticsearch
MongoDB
I understand that you are rightly dealing with Graylog and not with the other two packages that are developed by others, I hoped that in the community there was some other unfortunate like me who had managed to remedy this problem
The question in the end was:
How can I switch from version 2.11.1 libraries to version 2.16.0 libraries?
The question is addressed to anyone who has the possibility to indicate a procedure, if there is one
I was hoping for a definitive solution and not a mitigation
This question then I have to ask the Elasticsearch developers
I will have to study more and better
Ok,
also the latest version of elasticsearch 7.16.1 released on December 13th contains in the package the old and vulnerable libraries 2.11.1
The oss version 7.10.2 dates back to January, no updated version has been released anymore
The Graylog info clearly states that any ES version 7.11 or higher breaks Graylog, so buyer beware trying to go past 7.10.2. “Our team confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7”
