Synergy with Elasticsearch for Windows – addressing log4j vulnerability
Considering the Elastic.co advisory:
Elasticsearch running on JDK8 or below
is susceptible to an information leak via DNS which is fixable by the JVM
property identified below. The JVM option identified below is
effective for Elasticsearch version 6.6.2.
Solutions and Mitigations:
Set the JVM option “-Dlog4j2.formatMsgNoLookups=true”
Elasticsearch can be run through the command prompt or
through a Windows service. When you run Elasticsearch from the command prompt,
you start the service manually. Every time you restart the machine you should
also start Elasticsearch. Another way is through a Windows service. You install
this Windows service and configure it to start when the system is restarted.
Depending on which method you use, you can perform one
of the following solutions:
- Run Elasticsearch as
a Windows service
- Run Elasticsearch from the command
prompt
Run Elasticsearch as
a Windows service
If
the elasticsearch is setup to run as a service and the service
configuration was created using “elasticsearch-service.bat manager” the
JVM options for the service are stored in the service configuration executable
rather than jvm.options file.
Update
existing service config with the JVM class as follows:
- Login to the server
where elasticsearch service is installed.
- Run command prompt as an administrator.
- Navigate to the elasticsearch installation
directory for example:
C:\Install>cd elasticsearch-6.6.2\
In the properties of the elasticsearch service (Start > Run > Services.msc) you can see under “path to executable” in which directory elasticsearch is installed.
- Go to the bin directory:
C:\Install>cd elasticsearch-6.6.2\bin
- Execute following command:
“elasticsearch-service.bat manager”
C:\Install\elasticsearch-6.6.2\bin>elasticsearch-service.bat
manager
Elasticsearch service properties:
- Open the Java tab:
- In Java Options scroll to
the -Dlog4j options and add:
“-Dlog4j2.formatMsgNoLookups=true”
- Click Apply and
restart the elasticsearch service.
Run Elasticsearch from the command prompt
- Login to the server where elasticsearch service is
installed and navigate to installation directory for
example: C:\elasticsearch-6.2.2\
In the properties of the
elasticsearch service (Start > Run > Services.msc) you can see
under “path to executable” in which directory elasticsearch is
installed.
- Open the Config folder:
- Use a text editor
and open
the jvm.options file:
- In
the jvm configuration file scroll to the Expert settings
and find the # log4j 2 section:
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Djava.io.tmpdir=${ES_TMPDIR}
- Add the JVM
Option as recommended by Elastic so the section looks like:
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j2.formatMsgNoLookups=true
-Djava.io.tmpdir=${ES_TMPDIR}
- Save the jvm.options file.
- Restart elasticsearch service.
Main Category: |
Attachments & notes |
Document Type: |
Support - On-line help |
Category: |
|
Security level: |
All - 0 |
Sub category: |
|
Document ID: |
30.458.709 |
Assortment: |
Exact Synergy Enterprise
|
Date: |
15-12-2021 |
Release: |
|
Attachment: |
|
Disclaimer |