log4j-api need upgraded >= 2.8.2 as vulnerability CVE-2017-5645
Closed this issue · 3 comments
For all general issues, please provide the following details for fast resolution:
- Version: logstash-input-beats 5.1.6
- Operating System: Ubuntu 16.04 LT
After upgrading Logstash to 6.5.0, but we found that dependency of "log4j-api" in logstash-input-beats 5.1.6 still at "log4j-api-2.6.2", which is addressed in vulnerability CVE-2017-5645. (
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645)
e.g.
./vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.1.6-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar
It needs to be upgraded to log4j-api version 2.8.2 and above. And I created following PR for this issue.
#351
Has anyone at ES reviewed this yet? This is an important question...
a new release is out with an updated log4j2
That said I don't see how this vulnerability could be exploited since we don't use the " TCP socket server or UDP socket server" where the serialization bug exists.