- 10 May 2022
- 2 Minutes to read
Upgrade Graylog Against Log4Shell
- Updated on 10 May 2022
- 2 Minutes to read
A zero-day vulnerability impacting version 2.0 <= 2.14.1 of the Apache Log4j 2 package was originally disclosed to the public on December 9, 2021. As a result, Graylog took action to patch instances 3.3.15, 4.0.14, 4.1.9, and 4.2.3. However, another patch was released shortly afterward to curb additional vulnerabilities in Log4j. The service has since been upgraded to 2.16.0.
Log4j patched a new CVE-2021-45046 vulnerability to prevent a potential DOS attack. That is why the Graylog team decided to publish new 4.2.x, 4.1.x, 4.0.x, and 3.3.x releases that ship with Log4j 2.16.0.
In this guide, we’ll provide you with all the necessary steps to upgrade/update instances of both Graylog Server and the Forwarder.
Graylog On-prem Update - OS Packages
The commands below apply to the operating system on which you have installed Graylog.
sudo apt-get update # NOTE: When performing the next step you might receive a prompt to update the server.conf file. Do not overwrite (select N). You have custom configurations you need to preserve. If you overwrite you risk taking down your Graylog instance altogether! sudo apt-get install graylog-server # Or if you installed “graylog-enterprise” instead of “graylog-server” sudo apt-get install graylog-enterprise sudo systemctl restart graylog-server.service
sudo yum install --refresh graylog-server # Or if you installed “graylog-enterprise” instead of “graylog-server” sudo yum install --refresh graylog-enterprise sudo systemctl restart graylog-server.service
Forwarder Update - OS Packages
The following commands assume that the OS package repository files have
been installed according to your Forwarder installation instructions.
This updates the package repository metadata to get access to the latest
package versions and installs the latest version.
sudo apt-get update # NOTE: When performing the next step you might receive a prompt to update your server.conf. Do not overwrite (e.g. select N). You have custom configurations you need to preserve. If you overwrite you risk taking down your Graylog instance altogether! sudo apt-get install graylog-forwarder sudo systemctl restart graylog-forwarder.service
This provides updates to the latest version and also forces a metadata refresh to get
access to the latest package versions.
sudo yum update --refresh graylog-forwarder sudo systemctl restart graylog-forwarder.service
Elasticsearch 7.11 and higher is not supported in your Graylog instance. If you upgrade to that version Graylog will break!
Elastic is affected by this vulnerability, as discussed in their forum post.
Affected Versions of ES
Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. Our team confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7. An investigation is still underway for Elasticsearch 5.
ES Solutions and Mitigations
For Elasticsearch, add this JVM option:
For instructions on setting JVM configuration, review the steps in Elastic’s JVM options chapter.
Ensure you add the
-Dlog4j2.formatMsgNoLookups=true option within the Elasticsearch configuration of your
docker-compose.yaml configuration file.
elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 environment: - http.host=0.0.0.0 - transport.host=localhost - network.host=0.0.0.0 - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms4096m -Xmx4096m"