Log4j issue - CVE-2021-44832

[CVE-2021-44832] - This bug was reported in 28th dec 2021. Please confirm whether this is fixed in OpenSearch v1.2.3
https://logging.apache.org/log4j/2.x/security.html#

most likely not as it is being tracked with this ticket for 1.2.4:

Not in 1.2.3. It will be fixed in the next release.

From what I understand, this one is pretty narrow in how it applies to OpenSearch so the urgency is lower. Indeed, it’s a “Moderate” severity and in context of OpenSearch, random folks don’t have permission to modify the logging configuration file. Likely, if a user has access to modify the logging config file, this user probably already able to execute code arbitrarily.

@searchymcsearchface good day to you sir. It is not my intention to start a “flame war” but organization risk isn’t generally determined by the “technical” guys like us. For instance, my organization sees something Log4j related come up in vulnerability scans and then the system owner wants to nuke whatever it is immediately. We currently have our Opensearch Instances and Logstash shutdown until patches are released for CVE-2021-44832 because that is the only “acceptable risk reduction” that would be accepted by our system owner. I’m not saying it is like this across the board with every organization but in our small little bubble of the world, this is the way it works. I mean no ill will and really love the Opensearch project so please don’t take this as a jab but rather a different perspective. Thanks. :slight_smile:

I can certainly pass that along.

Do you typically shutdown based on any moderate CVE or is this just because of Log4j being so pervasive?

Depends. The more “media attention” something gets. Log4j has been really publicized so it is more at the forefront of the mind of our system owner. Then there is organizational policy that states, “if it is not patched by this date, then the system should be taken offline”. No caveats or exceptions so in our case, if it is related to this current string of Log4j vulnerabilities, that is the way it is. Also, CVE ratings don’t account for organizational risk in general, what is moderate to one organization may be critical to another.

Basically, it is our organizational policies that are killing us right now and not the vulnerability itself.

I hear you and makes total sense - I’ll bring up that Log4j is especially sensitive beyond the CVE rating or the specific impact to the project.

(Personal note: The fact that my 75 year old, non-technical father asked if he should be worried personally about Log4j definitely tells you the media attention that this is getting :joy:)

3 Likes

lol Yeah, in the perfect world the system owner and technical personnel would work together and understand the true risk to the organization due to a particular vulnerability but most of the time it ends up being knee-jerk reactions and the “guilty by association” type “understanding” of the problem. Will look forward to the patch release hopefully soon. I’ve been watching the Github repos and watching the progress for Opensearch 1.2.4 and Logstash like a mad man so kudos for the work being done.

Thanks for the reply.

1 Like