[SMW-devel] [Security vulnerability] Log4j zero-day exploit info for CirrusSearch and Semantic MediaWiki ElasticStore

[Markus Krötzsch]

Heads up everyone using (S)MW with ElasticSearch!

Markus

-------- Forwarded Message --------
Subject: 	[MediaWiki-l] [Security vulnerability] Log4j zero-day exploit 
info for CirrusSearch and Semantic MediaWiki ElasticStore
Date:   Mon, 13 Dec 2021 13:46:40 -0600
From:   Jeffrey Wang <j...@mywikis.com>
Reply-To: 	MediaWiki announcements and site admin list 
<mediawik...@lists.wikimedia.org>
To:     mediawik...@lists.wikimedia.org

Hello all,

As you may have seen recently, Log4j has a severe zero-day exploit 
affecting many projects, including Elasticsearch. For anyone using 
CirrusSearch or Semantic MediaWiki’s ElasticStore, here’s what you need 
to know:

- If you are using JDK 11 or above, you’re not affected. 😊
- If you are using the latest version of the Elasticsearch 6.x Docker 
images, you’re not affected. This is because 6.6 uses JDK 11, 6.7 uses 
JDK 12, and 6.8 uses JDK 15. 😊
- If you are using JDK 8 or under, you are likely affected. 😭 There are 
a few ways to fix this:
-- First, Elasticsearch 6.8.21 is being released to remedy this. 
Upgrading to this version should resolve the issues even if you are 
using JDK 8 or below.
-- If you are using Elasticsearch 6.5.4, 6.6.x, 6.7.x, or you are 
otherwise unable to upgrade to the latest version of Elasticsearch 6.x, 
I strongly recommend you try upgrading your JDK version to at least JDK 
11 or upgrade Elasticsearch to 6.8.21 when it comes out.
-- If you can’t upgrade your JDK or Elasticsearch, you can set the JVM 
option |Dlog4j2.formatMsgNoLookups=true|

You may have seen information on the CirrusSearch extension page saying 
CirrusSearch 6.5.4 only currently works with Elasticsearch 6.5.4. That 
is not correct; CirrusSearch 6.5.4 works just fine with 6.8.20 (for 
instance, Project Canasta uses the ES 6.8.20 Docker image) and the 
extension page has been updated to reflect that.

For more information from Elastic themselves, please see this:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 
<https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>

Thanks,
Jeffrey
_______________________________________________
MediaWiki-l mailing list -- mediawik...@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
_______________________________________________
Semediawiki-devel mailing list
Semediawiki-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/semediawiki-devel