HOW TO: Mitigate Security Risks Against Elasticsearch Log4j/Log4Shell Vulnerability

1 Overview
- 1.1 From the Elasticsearch Advisory
2 Mitigation for eMite or Customer-Hosted Amazon Connect Environments
3 Mitigation for eMite-hosted Genesys Cloud Environments
4 Mitigation for Customer-Hosted/On-Premise Environments
- 4.1 For environments using Elasticsearch 5.4 / 6.3 (e.g. eMite v7.0.9)
- 4.2 For environments using Elasticsearch 7.9 (e.g. eMite v7.1.0+)
5 Additional Note

Overview

Recently, a critical vulnerability has been reported on Log4j, which is used by Java based applications. This vulnerability can be exploited for RCE (Remote Command Execution) depending on the configuration of the system. There is active exploitation in the wild and systems are having various Trojans, ransomware, and crypto miners, etc. have been known to be loaded.

You can refer to the following for more details on the vulnerability:

https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

https://logging.apache.org/log4j/2.x/security.html

The eMite application and adapters are not vulnerable to the Log4j vulnerability. As these do not use any Java or Apache-based components and have minimal third-party-based libraries (they are based on C# or .Net code base), this reduces the attack surface. However, eMite does use Elasticsearch for data storage.

From the Elasticsearch Advisory

Elasticsearch

Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager.
Elasticsearch on JDK8 or below is susceptible to an information leak via DNS which is fixed by a simple JVM property change. The information leak does not permit access to data within the Elasticsearch cluster.

Mitigation for eMite or Customer-Hosted Amazon Connect Environments

eMite environments for Amazon Connect customers use AWS-managed Elasticsearch/Opensearch service-hosted on customer’s AWS.

AWS advised that it is rolling out a service software update to address the log4j vulnerability:

https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
“Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. We will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.”

Once you have received a notification/bulleting from AWS, apply the service software update.

The service software updated is considered critical, and AWS will actually automatically apply the update a few hours after the notification.
The service software update does not require any downtime, but it is recommend to apply during off-peak hours.

Mitigation for eMite-hosted Genesys Cloud Environments

Most eMite-hosted environments use a locally installed Elasticsearch on the customer’s eMite server. Access to this Elasticsearch is limited only to the eMite application within the server.

For some customer environments where eMite uses AWS Elasticsearch/Opensearch service, eMite has applied the service software update (version R20211203-P2) which contains an updated version of Log4j2 as advised by AWS.

Mitigation for Customer-Hosted/On-Premise Environments

For environments using Elasticsearch 5.4 / 6.3 (e.g. eMite v7.0.9)

1. Stop the eMite services.

World Wide Web Service
eMite Scheduler Service
eMite Metric Service

2. Stop/Uninstall Elasticsearch windows service.

sample powershell/command prompt: C:\elasticsearch-6.3.1\bin\elasticsearch-service.bat remove

3. Go to Elasticsearch lib directory.

4. Copy out the log4j-core-*.jar to another directory as backup.

5. Open the log4j-core-*.jar file using a zip file extractor software, such as 7zip. The jar file is basically similar to a zip archive.

6. Inside the jar file, delete the file org/apache/logging/log4j/core/lookup/JndiLookup.class.

The jar file is now updated to have that class removed.

7. Re-install the Elasticsearch windows service.

sample powershell/command prompt: C:\elasticsearch-6.3.1\bin\elasticsearch-service.bat install

8. Start the Elasticsearch windows service, and set its Startup Type to “Automatic”.

9. Start the eMite services.

World Wide Web Service
eMite Scheduler Service
eMite Metric Service

For environments using Elasticsearch 7.9 (e.g. eMite v7.1.0+)

1. Stop the eMite services.

World Wide Web Service
eMite Scheduler Service
eMite Metric Service

2. Stop/Uninstall Elasticsearch windows service.

sample powershell/command prompt: C:\elasticsearch-7.9.2\bin\elasticsearch-service.bat remove

3. Add -Dlog4j2.formatMsgNoLookups=true to the end of Elasticsearch config\jvm.options file.

4. Re-install the Elasticsearch windows service.

sample powershell/command prompt: C:\elasticsearch-7.9.2\bin\elasticsearch-service.bat install

5. Start the Elasticsearch windows service, and set its Startup Type to “Automatic”.

6. Start the eMite services.

World Wide Web Service
eMite Scheduler Service
eMite Metric Service