...
Update the /etc/elasticsearch/jvm.options file with the additional parameter in the log4j section around line.
-Dlog4j2.formatMsgNoLookups=true
Restart elasticsearch once the file has been saved with
“service elasticsearch restart” or “systemctl restart snare.service”.
We will incorporate this update mitigation in the next patch for Snare Central.
Customers can also remove the java class from the system as well but this may affect the operation of elastic. If its not required then you can remove the following file.
login as root user, then “rm /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar” , save a copy of it in the /home/snare location in case you need to recover it.
Customers can edit the jar file. It is basically a zip file of classes. take Take a copy of it in case you need to restore it for some reason. Elastic will continue to function with this option removed but will just have the log4j2 query options removed for the Jndi class which is where the vulnerability is. We are not aware of any direct vulnerability in Snare Central for this, but this is just an extra mitigation for those that are concerned.
cd /usr/share/elasticsearch/lib and run the following command
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
now restart elasticsearch “/etc/init.d/elasticsearch restart”
...