In response to the vulnerability tagged as CVE-2021-44228, known as “Log4Shell”, from Artica PFMS we confirm that Pandora FMS does not use this Apache log component and therefore it is not affected.
Discovered by the Alibaba security team, the problem refers to a case of remote execution of unauthenticated code (RCE) in any application that uses this open source utility and affects unpatched versions, from Apache Log4j 2.0-beta9 up to 2.14. 1.
It is true that if we used it, we would be compromised, but fortunately it is a dependency that is not necessary for the operation of our product.
In turn, we must also state that the Elasticsearch component for the log collection feature is potentially affected by CVE-2021-44228.
There is, however, a solution recommended by the Elasticsearch developers:
1) You can upgrade to a JDK later than 8 to achieve at least partial mitigation.
2) Follow the Elasticsearch instructions from the developer and upgrade to Elasticsearch 6.8.21. or 7,16,1 superior.
In case you can’t update your version here we show you an additional method to solve the same problem:
- Disable formatMessageLookup as follows:
- Stop the Elasticsearch service.
- Add -Dlog4j2.formatMsgNoLookups = true to the log4j part of /etc/elasticsearch/jvm.options
- Restart the Elasticsearch service.
In the event of any other eventuality we will keep you informed.
El equipo de redacción de Pandora FMS está formado por un conjunto de escritores y profesionales de las TI con una cosa en común: su pasión por la monitorización de sistemas informáticos.
Pandora FMS’s editorial team is made up of a group of writers and IT professionals with one thing in common: their passion for computer system monitoring.