Keep in mind that Pydio 8 with elasticsearch can use a vulnerable log4j version

Hello, I found log4j on my (good old) Pydio 8 on Linux Debian Linux, in elastic search, (the Pydio elastic search plugin is installed).

You can read here Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack the full explanation of elastic search vulnerabilities

and a more practical résumé here : Mitigate Log4j2 / Log4Shell in Elasticsearch

What we did ? For certain elastic search version, an easy fix was to remove the vulnerable library inline in the jar file, that’s what we did :

cd /usr/share/elasticsearch/lib/

create a backup of the jar

cp log4j-core-2.7.jar log4j-core-2.7.jar.VULNERABLE

verfify the vulnerabble is in the librairy

jar tvf lib/log4j-core-.jar | grep -i JndiLookup
response : org/apache/logging/log4j/core/lookup/JndiLookup.class
#remove the class
zip -d log4j-core-2.7.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
#verify the class is no more present
jar tvf log4j-core-
.jar | grep -i JndiLookup
#restart elastic search
service elasticsearch restart
service elasticsearch status

:sunglasses:

Hope this can help !

2 Likes

Thanks for reporting!

Anyway, this can be seen as one more reminder that it is a good time to switch to Cells !! :smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.