No Change after update from 4.2.3 to 4.2.4, log4j vulnerability not fixed

I upgraded from version 4.2.3 to 4.2.4, but despite this the vulnerability has not been resolved.
I still have version 2.11.1 of the libraries on my server, they are not updated to version 2.16.0.
Shouldn’t the version be updated? or did I get it wrong?
A scan with Nessus also detects the vulnerability as unresolved
in the / usr / share / elasticsearch / lib folder I still have the old libraries:

My configuration:

Ubuntu 20.04.3 LTS
Graylog 4.2.4
Java openjdk 1.8.0_312
Elasticsearch 7.10.2 oss
MongoDB 4.0.27

Hi Alessio

Graylog is a component of a three product stack - Graylog, Elasticsearch and MongoDB. The Elasticsearch and MongoDB products are not maintained by us, and these services are updated seperately to the Graylog product.

We’ve published a documentation page to advise you on tackling this vulnerability across the stack here:

1 Like

Thanks for your answer
I am aware that these are three separate stacks, but I figured that upgrading the version could also cause the version upgrade of the vulnerable Apache libraries.
Surely I misunderstood me and the words “Fix log4j CVE-2021-45046 by updating the library to 2.16.0” means that I have to be the one to do it and that it does not happen automatically with system and package updates from their repositories at new releases
Not having manually installed these libraries, but being the consequence of installing Elasticsearch as per the procedure reported on your portal, I imagined that the update procedure would lead to something else
By packages I mean those of:
I understand that you are rightly dealing with Graylog and not with the other two packages that are developed by others, I hoped that in the community there was some other unfortunate like me who had managed to remedy this problem
The question in the end was:
How can I switch from version 2.11.1 libraries to version 2.16.0 libraries?
The question is addressed to anyone who has the possibility to indicate a procedure, if there is one
I was hoping for a definitive solution and not a mitigation
This question then I have to ask the Elasticsearch developers
I will have to study more and better

also the latest version of elasticsearch 7.16.1 released on December 13th contains in the package the old and vulnerable libraries 2.11.1
The oss version 7.10.2 dates back to January, no updated version has been released anymore

The Graylog info clearly states that any ES version 7.11 or higher breaks Graylog, so buyer beware trying to go past 7.10.2. “Our team confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7” :man_shrugging:

They do for your data, but state some unawareness for your system.


You could try changing the java log4j library or open the jar file and remove the “JndiLookup.class” out of the jar file to be safe and sure.

You could even find some log4j cve scanners on line that change the log4j jar file for you.

Some good story on this, even elastic is aperantly removing the jndilookup.class out of the log4j library, what I thingk is the best thing to do.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.