In response to the vulnerability tagged as   CVE-2021-44228, known as “Log4Shell”, from Artica PFMS we confirm that Pandora FMS does not use this Apache log component and therefore it is not affected.

Discovered by the Alibaba security team, the problem refers to a case of remote execution of unauthenticated code (RCE) in any application that uses this open source utility and affects unpatched versions, from Apache Log4j 2.0-beta9 up to 2.14. 1.

It is true that if we used it, we would be compromised, but fortunately it is a dependency that is not necessary for the operation of our product.

In turn, we must also state that the Elasticsearch component for the log collection feature is potentially affected by CVE-2021-44228.

Recommended solution

There is, however, a solution recommended by the Elasticsearch developers:

1) You can upgrade to a JDK later than 8 to achieve at least partial mitigation.

2) Follow the Elasticsearch instructions from the developer and upgrade to Elasticsearch 6.8.21. or 7,16,1 superior.

Additional solution

In case you can’t update your version here we show you an additional method to solve the same problem:

  • Disable formatMessageLookup as follows:
  1. Stop the Elasticsearch service.
  2. Add -Dlog4j2.formatMsgNoLookups = true to the log4j part of /etc/elasticsearch/jvm.options
  3. Restart the Elasticsearch service.

In the event of any other eventuality we will keep you informed.

Shares