Alibaba Cloud recently discovered a remote code execution (RCE) vulnerability in the Apache Log4j2 component and reported it to the Apache Software Foundation. This topic describes the scope of the vulnerability and its remediation plan.
Vulnerability impact
For more information about how this vulnerability affects Elasticsearch, see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 and Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation.
The affected versions of Alibaba Cloud Elasticsearch and related services include the following. Versions not listed are not affected.
Elasticsearch: 5.5.3, 5.6.16, 6.3.2, and 6.7.0 with kernel version 1.3.0. Other kernel versions of 6.7.0 are not affected.
To view the kernel version, go to the Basic Information page of the destination instance, click Update & Upgrade, and select Update Kernel Patch in the dialog box. For more information, see View the basic information of an instance.
Logstash: 6.7 and 7.4
Vulnerability remediation plan
Recommended user configurations
To ensure the security of your business, consider the following:
Avoid enabling public network access. If you must enable it, configure the IP address whitelist based on the principle of least privilege. For more information, see Configure a public or private IP address whitelist for an instance.
Do not install any plug-ins from unofficial sources on your cluster.
Elasticsearch product remediation plan
As of December 28, 2021, Alibaba Cloud has released patches for Elasticsearch 5.5.3 and 5.6.16, and for Logstash 6.7 and 7.4. As of January 19, 2022, Alibaba Cloud has released patches for Elasticsearch 6.3.2 and 6.7.0 with kernel version 1.3.0. To apply the fix, modify the corresponding Elasticsearch and Logstash instances. For specific steps, see Remediation process.
This remediation plan:
Applies to Elasticsearch 5.5.3, 5.6.16, 6.3.2, and 6.7.0 with kernel version 1.3.0, and to Logstash 6.7 and 7.4. Other versions do not require this fix.
Fixing the vulnerability by restarting the cluster or performing a blue-green deployment does not affect your online services. However, because these operations involve restarting the instance, we recommend that you perform them during off-peak hours to ensure stability.
Recommended remediation schedule
Starting from December 28, 2021, you can apply the fix to your instances in all regions. For cluster stability, follow the recommended schedule in the table below to apply the fix to instances in each region.
Recommended Change Schedule | Region | Region ID |
Starting from December 28, 2021 | China (Shanghai) | cn-shanghai |
Singapore | ap-southeast-1 | |
Australia (Sydney) (decommissioned) | ap-southeast-2 | |
Malaysia (Kuala Lumpur) | ap-southeast-3 | |
Indonesia (Jakarta) | ap-southeast-5 | |
Japan (Tokyo) | ap-northeast-1 | |
Starting from December 29, 2021 | China (Hangzhou) | cn-hangzhou |
China (Qingdao) | cn-qingdao | |
China (Zhangjiakou) | cn-zhangjiakou | |
India (Mumbai) (decommissioned) | ap-south-1 | |
China (Hangzhou) Finance | cn-hangzhou-finance | |
China (Shanghai) Finance | cn-shanghai-finance-1 | |
China (Beijing) Gov 1 | cn-north-2-gov-1 | |
Starting from December 30, 2021 | Germany (Frankfurt) | eu-central-1 |
US (Virginia) | us-east-1 | |
US (Silicon Valley) | us-west-1 | |
China (Shenzhen) | cn-shenzhen | |
China (Beijing) | cn-beijing | |
China (Hong Kong) | cn-hongkong | |
UK (London) | eu-west-1 |
Remediation process
Elasticsearch remediation process
You can restart the instance in the console. On the Basic Information page of the instance, click Restart in the upper-right corner. Select Restart by Role, select all role nodes to restart except for Kibana and Nginx nodes, and then select Blue-Green Deployment. The vulnerability is fixed after the change is complete. For more information, see Restart a cluster or node.
Logstash remediation process
You can restart the instance in the console. On the Basic Information page of the instance, click Restart in the upper-right corner. Select Restart Instance. The vulnerability is fixed after the change is complete. For more information, see Restart an instance or node.
WarningA blue-green deployment is not required for Logstash. Because a blue-green deployment replaces the node servers, selecting this policy may cause data loss in the pipeline.