We have now patched and restarted all Elasticsearch databases running on Aptible. For versions that don't support "log4j2.formatMsgNoLookups=true", we have removed the affected JndiLookup class.
In addition, we have completed our review of all Aptible infrastructure and have determined that these Elasticsearch databases are the only vulnerable components. That said, we continue to strongly recommend that all customers review their own infrastructure for any Java apps or dependencies.
Posted Dec 11, 2021 - 00:16 EST
Identified
A zero-day vulnerability in the Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 which can be easily exploited to perform remote code execution.
This vulnerability affects innumerable Java applications, and our security team has reviewed the Aptible platform and determined that customers' Elasticsearch Databases are impacted by this vulnerability.
While Elastic has not made a public security announcement, we have confirmed that this vulnerability is exploitable in Elasticsearch version 5.x. We have also confirmed that the exploit we are using does not work on other versions. However, without clear guidance from Elastic, we are taking action to patch and restart **all** Elasticsearch Databases hosted on Aptible.
Here's a summary of the actions we have taken and planned so far:
* COMPLETED - Contact all customers with Public Database Endpoints that are exposing known vulnerable versions of Elasticsearch, and add an IP Whitelist to those Endpoints. * COMPLETED - Patch and restart Elasticsearch version 5.6, and versions 6.4 through 7.10 by setting "log4j2.formatMsgNoLookups=true" * COMPLETED - Patch and restart all other Elasticsearch versions with class replacement
We will continue to provide updates for this incident as we have more progress or information. At this time, we recommend that all customers review their entire infrastructure for any Java apps or dependencies. If you use Java anywhere in your infrastructure, it is likely you're vulnerable to this attack.