Heads up everyone using (S)MW with ElasticSearch!
Markus
-------- Forwarded Message --------
Subject: [MediaWiki-l] [Security vulnerability] Log4j zero-day exploit
info for CirrusSearch and Semantic MediaWiki ElasticStore
Date: Mon, 13 Dec 2021 13:46:40 -0600
From: Jeffrey Wang <j...@mywikis.com>
Reply-To: MediaWiki announcements and site admin list
<mediawik...@lists.wikimedia.org>
To: mediawik...@lists.wikimedia.org
Hello all,
As you may have seen recently, Log4j has a severe zero-day exploit
affecting many projects, including Elasticsearch. For anyone using
CirrusSearch or Semantic MediaWiki’s ElasticStore, here’s what you need
to know:
- If you are using JDK 11 or above, you’re not affected. 😊
- If you are using the latest version of the Elasticsearch 6.x Docker
images, you’re not affected. This is because 6.6 uses JDK 11, 6.7 uses
JDK 12, and 6.8 uses JDK 15. 😊
- If you are using JDK 8 or under, you are likely affected. 😭 There are
a few ways to fix this:
-- First, Elasticsearch 6.8.21 is being released to remedy this.
Upgrading to this version should resolve the issues even if you are
using JDK 8 or below.
-- If you are using Elasticsearch 6.5.4, 6.6.x, 6.7.x, or you are
otherwise unable to upgrade to the latest version of Elasticsearch 6.x,
I strongly recommend you try upgrading your JDK version to at least JDK
11 or upgrade Elasticsearch to 6.8.21 when it comes out.
-- If you can’t upgrade your JDK or Elasticsearch, you can set the JVM
option |Dlog4j2.formatMsgNoLookups=true|
You may have seen information on the CirrusSearch extension page saying
CirrusSearch 6.5.4 only currently works with Elasticsearch 6.5.4. That
is not correct; CirrusSearch 6.5.4 works just fine with 6.8.20 (for
instance, Project Canasta uses the ES 6.8.20 Docker image) and the
extension page has been updated to reflect that.
For more information from Elastic themselves, please see this:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
<https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>
Thanks,
Jeffrey
_______________________________________________
MediaWiki-l mailing list -- mediawik...@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
_______________________________________________
Semediawiki-devel mailing list
Semediawiki-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/semediawiki-devel