给 Elasticsearch 升级 Log4j 版本
in Note with 0 comment
Elasticsearch log4j bug修复
给 Elasticsearch 升级 Log4j 版本
in Note with 0 comment

Elasticsearch log4j bug修复

背景

2021年12月10日,Apache Java 模块 Log4j 库第一个远程代码执行漏洞被公开披露,该漏洞识别为CVE-2021-44228。此外,还陆续披露了漏洞——CVE-2021-45046和CVE-2021-45105。这个漏洞影响很大,所以我们需要针对使用了这个模块的服务进行修复,这里记录修复 Elasticsearch 的模块,基于 6.2.4 版本。

修复过程

主要是针对 Elasticsearch 进行修复,修复的方式是升级 log4j的版本,先后经历了3次版本升级。

第一次升级为2.15.0

cd /tmp && wget https://dlcdn.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz

mv /usr/share/elasticsearch/lib/log4j-core-2*.jar /tmp && \
mv /usr/share/elasticsearch/lib/log4j-api-2*.jar /tmp && \
mv /usr/share/elasticsearch/lib/log4j-1.2-api-2*.jar /tmp && \
tar -zxf apache-log4j-2.15.0-bin.tar.gz && \
cd /tmp/apache-log4j-2.15.0-bin/ && \
cp log4j-core-2.15.0.jar /usr/share/elasticsearch/lib/ && \
cp log4j-api-2.15.0.jar /usr/share/elasticsearch/lib/ && \
cp log4j-1.2-api-2.15.0.jar /usr/share/elasticsearch/lib/ && \
ls /usr/share/elasticsearch/lib/ | grep 'log4j' && \
echo 'replaced log4j with new jars, restarting ES now...' &&\
sudo systemctl restart elasticsearch && \
sleep 2 && \
watch -n 2 'sudo systemctl status elasticsearch | grep ago'

后面又进行了两次升级,分别是2.16.0和2.17.0,索性写个脚本来执行。

写脚本

#!/bin/bash

# Set log4j version
log4j_version="2.17.0"

# Download log4j
cd /tmp && wget https://archive.apache.org/dist/logging/log4j/${log4j_version}/apache-log4j-${log4j_version}-bin.tar.gz

# Move existing log4j jars to temporary location
mv /usr/share/elasticsearch/lib/log4j-core-2*.jar /tmp && \
mv /usr/share/elasticsearch/lib/log4j-api-2*.jar /tmp && \
mv /usr/share/elasticsearch/lib/log4j-1.2-api-2*.jar /tmp && \

# Extract and copy new log4j jars to Elasticsearch lib
tar -zxf apache-log4j-${log4j_version}-bin.tar.gz && \
cd /tmp/apache-log4j-${log4j_version}-bin/ && \
cp log4j-core-${log4j_version}.jar /usr/share/elasticsearch/lib/ && \
cp log4j-api-${log4j_version}.jar /usr/share/elasticsearch/lib/ && \
cp log4j-1.2-api-${log4j_version}.jar /usr/share/elasticsearch/lib/ && \

# Check new log4j jars are in place
ls /usr/share/elasticsearch/lib/ | grep 'log4j' && \

# Restart Elasticsearch
echo 'replaced log4j with new jars, restarting ES now...' &&\
sudo systemctl restart elasticsearch && \
sleep 2 && \

# Monitor Elasticsearch status
watch -n 2 'sudo systemctl status elasticsearch | grep ago'

参考

Log4J 漏洞事件回顾

本文由 Chakhsu Lau 创作,采用 知识共享署名4.0 国际许可协议进行许可。
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名。

Responses