log4j-api need upgraded >= 2.8.2 as vulnerability CVE-2017-5645

Question

log4j-api need upgraded >= 2.8.2 as vulnerability CVE-2017-5645

Closed this issue 6 years ago · 3 comments

For all general issues, please provide the following details for fast resolution:

Version: logstash-input-beats 5.1.6
Operating System: Ubuntu 16.04 LT

After upgrading Logstash to 6.5.0, but we found that dependency of "log4j-api" in logstash-input-beats 5.1.6 still at "log4j-api-2.6.2", which is addressed in vulnerability CVE-2017-5645. (
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
e.g.
./vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.1.6-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar

It needs to be upgraded to log4j-api version 2.8.2 and above. And I created following PR for this issue.
#351

Answer 1 · 2018-11-28T17:51:01.000Z

Has anyone at ES reviewed this yet? This is an important question...

Answer 2 · 2018-11-28T22:14:46.000Z

a new release is out with an updated log4j2

That said I don't see how this vulnerability could be exploited since we don't use the " TCP socket server or UDP socket server" where the serialization bug exists.

Answer 3 · 2018-11-28T22:17:16.000Z

Thanks @jsvd I understand the concern, am working in a situation where the presence of vulnerable libraries is a violation regardless of practical exploit possibility because the vulnerability, based on the CVE data, is considered critical.