Logstash OSS with OpenSearch Output Plugin Log4j vulnerable

Hi, the latest versions of Logstash OSS with OpenSearch Output Plugin available seems to be old versions. Is it possible to get these updated to 7.16.1 to fix the Log4j issue? Thanks!

https://hub.docker.com/r/opensearchproject/logstash-oss-with-opensearch-output-plugin/tags

Hello @jong - per the updates to our blog post " In addition, we are releasing a version of the Logstash OSS with OpenSearch Output Plugin bundle which resolves both CVE-2021-44228 and CVE-2021-45046."

Thanks for the reply, but I’m struggling to understand what the situation is here.

The blog post seems to suggest it had been fixed already but there is no release. Is one coming soon? Do I just need a bit more patience?

Thanks

It’s a work in progress - that section of the blog post was from yesterday afternoon (Update Dec 14, 2021).

Thanks for clarifying. That part of the blog post seemed a bit ambiguous. Good to know it is coming.

@kris, I am looking for an updated image at Docker Hub as well
Is there an estimate on when this will be available.
I was looking to apply the manual mitigation of removing the class using zip command, but I get a zip: command not found while attempting it

created local image using this Dockerfile

FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:7.13.4
USER root
RUN yum install -y zip
RUN zip -q -d /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Should be fine for now

Updated Logstash OSS with OpenSearch Output Plugin now available as well

2 Likes