Alibaba Cloud Computing Co., Ltd. recently discovered a remote code execution (RCE) vulnerability in Apache Log4j 2 and reported this vulnerability to Apache. This topic describes the impacts of the vulnerability and provides solutions to the vulnerability.

Impacts

For more information about the impacts of the vulnerability on Elasticsearch, see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 and Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation.

The vulnerability has impacts on the following versions of Alibaba Cloud Elasticsearch clusters and Logstash clusters:
  • Elasticsearch: V5.5.3, V5.6.16, V6.3.2, and V6.7.0 (with the kernel version of V1.3.0)

    To view the kernel version of an Elasticsearch cluster, go to the Basic Information page of the cluster based on the instructions provided in View the basic information of a cluster and click Update and Upgrade in the upper-right corner of the page. In the dialog box that appears, select Kernel Patch Update. Then, you can view the kernel version of the cluster.

  • Logstash: V6.7 and V7.4

Solutions

Configuration optimization solution for the client side

To ensure the security of your business, you must take note of the following items:
  • We recommend that you do not enable the Public Network Access feature for your Elasticsearch cluster. If you need to enable this feature, configure a public IP address whitelist for your cluster and add only the IP addresses that need to be used to access the Elasticsearch cluster to the whitelist. For more information, see Configure a public or private IP address whitelist for an Elasticsearch cluster.
  • Do not install plug-ins that are not provided by official websites for your Elasticsearch cluster.

Solution for Alibaba Cloud Elasticsearch

As of December 28, 2021, Alibaba Cloud has released patches for Elasticsearch V5.5.3, Elasticsearch V5.6.16, Logstash V6.7, and Logstash V7.4. As of January 19, 2022, Alibaba Cloud has released patches for Elasticsearch V6.3.2 and Elasticsearch V6.7.0 (with the kernel version of V1.3.0). You must restart your Elasticsearch or Logstash cluster of the related version to fix the vulnerability. For more information, see Procedure.

Take note of the following items when you use this solution:
  • This solution is suitable only for Elasticsearch V5.5.3, Elasticsearch V5.6.16, Elasticsearch V6.3.2, Elasticsearch V6.7.0 (with the kernel version of V1.3.0), Logstash V6.7, and Logstash V7.4.
  • If you restart your cluster or use the blue-green update method to fix the vulnerability, your online business is not affected. However, we still recommend that you restart your cluster or perform a blue-green update for your cluster during off-peak hours.

Recommended update time

From December 28, 2021, you can update all your clusters that reside in the regions listed in the following table to fix the vulnerability. To ensure cluster stability, we recommend that you update your clusters within the recommended time range listed in the following table.
Recommended update time Region Region ID
From December 28, 2021 China (Shanghai) cn-shanghai
Singapore (Singapore) ap-southeast-1
Australia (Sydney) ap-southeast-2
Malaysia (Kuala Lumpur) ap-southeast-3
Indonesia (Jakarta) ap-southeast-5
Japan (Tokyo) ap-northeast-1
From December 29, 2021 China (Hangzhou) cn-hangzhou
China (Qingdao) cn-qingdao
China (Zhangjiakou) cn-zhangjiakou
India (Mumbai) ap-south-1
China East 1 Finance cn-hangzhou-finance
China East 2 Finance cn-shanghai-finance-1
China North 2 Ali Gov 1 cn-north-2-gov-1
From December 30, 2021 Germany (Frankfurt) eu-central-1
US (Virginia) us-east-1
US (Silicon Valley) us-west-1
China (Shenzhen) cn-shenzhen
China (Beijing) cn-beijing
China (Hong Kong) cn-hongkong
UK (London) eu-west-1

Procedure

  • Fix the vulnerability for an Elasticsearch cluster

    Restart the cluster in the Elasticsearch console. Log on to the Elasticsearch console and go to the Basic Information page of the cluster. On the Basic Information page, click Restart in the upper-right corner. In the Restart dialog box, select Node Role for Object, select the types of nodes that you want to restart from the Node drop-down list, and then select Change Blue-green Release. The types of nodes that you can select do not include Kibana nodes and NGINX nodes. Then, click OK. After the cluster is restarted, the vulnerability is fixed for the cluster. For more information, see Restart a cluster or node.

  • Fix the vulnerability for a Logstash cluster
    Restart the cluster in the Elasticsearch console. Log on to the Elasticsearch console and go to the Basic Information page of the cluster. On the Basic Information page, click Restart in the upper-right corner. In the Restart dialog box, select Cluster for Object and click OK. After the cluster is restarted, the vulnerability is fixed for the cluster. For more information, see Restart a cluster or node.
    Notice A blue-green update is not required for a Logstash cluster. If you perform a blue-green update for a cluster, the nodes in the cluster are changed. If you select Change Blue-green Release when you restart a Logstash cluster, data in the pipelines of the cluster may be lost after the restart.