How does CVE-2021-44228 work?
Log4J is a Java library used in software such as the Apache web server and the ElasticSearch search and analysis engine.
When writing an entry to the logs, Log4J allows you to:
- Perform additional operations in order to retrieve values from additional sources.
- To make calls to third-party systems, using protocols such as LDAP (directory system) via JNDI
The CVE-2021-44228 / Log4Shell vulnerability consists of injecting malicious code into vulnerable software, which will ask Log4J to retrieve a value from a third-party source, using JNDI and via the LDAP protocol.
However, in this case, Log4J does not check the imported data thoroughly enough. The imported data may then be code, which will be executed by Log4J on the system.
Is the Olfeo solution vulnerable?
Olfeo uses ElasticSearch, and therefore also uses Log4J.
However, ElasticSearch only logs the cluster status (startup, startup parameters, and shutdown).
User input is not sent to Log4J, which is why Olfeo is not vulnerable to this flaw. This is especially true since this service is not accessible from outside the network.
What should I do if I still want to prevent Log4J from resolving these requests?
You can prevent Log4J from accessing JNDI by adding this line to the /etc/elasticsearch/jvm.options file once you are in the chroot:
-Dlog4j2.formatMsgNoLookups=true
Then restart the ElasticSearch service (still in the chroot): service elasticsearch restart
