Olfeo versus LOG4SHELLL
How does CVE-2021-44228 work?
Log4J is a Java library used in software such as the Apache web server and the ElasticSearch search and analysis engine.
Log4J allows, when writing a log entry :
- Perform additional operations to retrieve values from complementary sources
- Make calls to third-party systems, using protocols such as LDAP (directory system) via JNDI
The CVE-2021-44228 / Log4Shell vulnerability involves injecting a malicious payload into vulnerable software, which will ask Log4J to fetch a value from a third-party source, using JNDI, and via the LDAP protocol.
In this case, Log4J does not check the imported data thoroughly enough. The imported data may then be code, which will be executed by Log4J on the system.
Is the Olfeo solution vulnerable?
Olfeo uses ElasticSearch, so it also uses Log4J.
However, ElasticSearch only logs cluster status (startup, startup parameters and shutdown).
User input is not sent to Log4J, so Olfeo is not vulnerable to this flaw. Especially since this service is not accessible from the outside.
What if I still want to prevent Log4J from resolving these requests?
You can prevent Log4J from consulting JNDI by adding this line to /etc/elasticsearch/jvm.options once in the chroot :
-Dlog4j2.formatMsgNoLookups=true
Then restart the ElasticSearch service (still in the chroot): service elasticsearch restart