arvindshmicrosoft opened a new pull request #425: URL: https://github.com/apache/fluo-muchos/pull/425
Fixes #418. Muchos can be used to deploy an optional `elkserver` role wherein OSS versions of the ELK stack are deployed (see #338). Elasticsearch and Logstash are among the external packages deployed when the `elkserver` role is optionally assigned to hosts in muchos.props. Both those packages use an older version of log4j2 which is vulnerable to the following known issues: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 & https://nvd.nist.gov/vuln/detail/CVE-2021-45046 ElasticSearch and Logstash and have addressed these vulnerabilities in their 7.16.2 releases. However, due to licensing issues the last OSS ELK stack version is 7.10.2, which requires the removal of the JNDI class for mitigation. Hence, we mitigate the known vulnerabilities by deleting the JNDI class from the older log4j2-core JAR deployed by those external components. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
