Can I uninstall Log4j from my cluster

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Can I uninstall Log4j from my cluster

Post by ssax »

I talked with development on it yesterday and they are still determining the next steps. As we don't use log4j explicitly in anything they are seeing what's required to remove it but it's still being investigated as of yesterday of the full impact.
ScottMc
Posts: 26
Joined: Mon Aug 06, 2018 9:35 am

Re: Can I uninstall Log4j from my cluster

Post by ScottMc »

We also understand the level of effort that's got to go into something like this, and while we can hold off a little while on a fix, we DO need something to pass on to our security team as to what to expect with respect to timing. Thanks!
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Can I uninstall Log4j from my cluster

Post by ssax »

I apologize, I'm unable to give an ETA at this time.
markus.rieger
Posts: 1
Joined: Sun Apr 05, 2020 3:34 am

Re: Can I uninstall Log4j from my cluster

Post by markus.rieger »

Hello,

any news about an update / patch or something like that.

We've found this information on elastic.

https://www.elastic.co/blog/new-elastic ... che-log4j2

Introducing Elasticsearch 7.16.2 and Logstash 6.8.22

Today, we’re pleased to announce the availability of new versions of Elasticsearch and Logstash, 7.16.2 and 6.8.22 respectively, which upgrades Apache Log4j2 to version 2.17.0. We also retain the mitigations delivered in 7.16.1 and 6.8.21. The sum of mitigations against Log4j mitigations delivered in 7.16.2 and 6.8.22 include:

Log4j upgraded to version 2.17.0JndiLookup class is completely removed to eliminate the attack surface area provided by the JNDI Lookup feature and associated risk of similar vulnerabilitieslog4j2.formatMsgNoLookups=true is set to disable one of the vulnerable features
rasaraiva
Posts: 2
Joined: Wed Jan 19, 2022 12:29 pm

Re: Can I uninstall Log4j from my cluster

Post by rasaraiva »

Hello,

We really need an update on this log4j problem

As I see it, log4j is used in several modules on the nagioslogserver
* 1.2.17 is used on elasticsearch
* 1.2.17 is used on 4 components of logstash
* 1.2.15 is used on 1 component of logstash (slyphon)

nagioslogserver/elasticsearch/lib/log4j-1.2.17.jar
nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j/1.2.17/log4j-1.2.17.jar
nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j/1.2.17/log4j-1.2.17.jar
nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j-1.2.15.jar

Is there a way to:
- uninstall log4j
- update each of these log4j instances
- update elasticsearch and logstash

Best regards,
Ricardo Saraiva
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Can I uninstall Log4j from my cluster

Post by ssax »

I've reached out to management to get more information on this and will let you know what they say.

Thank you!
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Can I uninstall Log4j from my cluster

Post by ssax »

Thank you for your patience!

Please upgrade to Nagios Log Server 2.1.11 (released today):

https://assets.nagios.com/downloads/nag ... .11.tar.gz
2.1.11 - 2/10/2022

Removed log4j as a dependency from logstash and elasticsearch -SAW
Taken from here:

https://www.nagios.com/downloads/nagios ... hange-log/

I was told that it should automatically remove all instances of log4j.jar and logstash/elasticsearch's dependence on them from Nagios Log Server, but if it doesn't, you can also remove whatever is still left on your filesystem.

I would check the output of this command, if you are unsure if it should be removed, please contact support to get further clarification:

Code: Select all

find / -name "*log4j*"
sbsbstout
Posts: 9
Joined: Thu Aug 05, 2021 9:45 am

Re: Can I uninstall Log4j from my cluster

Post by sbsbstout »

Hello,

After upgrade, the web UI still shows version 2.1.10 and update check alerts there is an update.

The upgrade.log file shows new version installed. I ran the upgrade a second time and upgrade.log shows new version is installed. I rebooted the server after each upgrade.

upgrade.log - after first run

Old Version: 2110
New Version: 2111


upgrade.log - after second run

Old Version: 2111
New Version: 2111

No errors and both times, "Nagios Log Server Upgrade Complete!"

Brandon
lee.bennett
Posts: 1
Joined: Wed Apr 01, 2020 5:30 pm

Re: Can I uninstall Log4j from my cluster

Post by lee.bennett »

sbsbstout wrote:Hello,

After upgrade, the web UI still shows version 2.1.10 and update check alerts there is an update.

The upgrade.log file shows new version installed. I ran the upgrade a second time and upgrade.log shows new version is installed. I rebooted the server after each upgrade.

upgrade.log - after first run

Old Version: 2110
New Version: 2111


upgrade.log - after second run

Old Version: 2111
New Version: 2111

No errors and both times, "Nagios Log Server Upgrade Complete!"

Brandon

Hi Brandon,

We had also tried to updated to 2.1.11 a couple of hours ago and experienced the same as you. We had taken a VM snapshot and have for now rolled back. We also tried an upgrade attempt straight after a reboot. Both using the Quick and manual process, including 'Disabling Shard Allocation'.

Additionally, we also noted that if we run find / -name "*log4j*" we still see just as many Log4j files! Confirming that the changes in the upgrade did not take place...

Thanks

Lee
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Can I uninstall Log4j from my cluster

Post by ssax »

Based on the hover tooltip on Disable Update Check in Admin > Global Settings it says that it only checks for updates every 24 hours so it likely won't show as updated until then.
Locked