Skip to content

Log4Shell

jmoosdijk edited this page Jan 17, 2022 · 5 revisions

Info on Log4Shell vulnerability

RedELK prior to v2 beta 5 is vulnerable to Log4Shell. This is because:

  • Logstash prior to version 7.16.3 is vulnerable.
  • Neo4j mage prior to 4.2 is vulnerable

Other components are either not vulnerable or implemented in such a way that they are not exploitable. Well, at least that is what we think after a quick review. The result of the review was either way that we should upgrade, so that is what we did. You can track our discussion on this topic here.

  • Immediate mitigating measure is to disable Logstash on your RedELK server. This way, no new data will come to your RedELK server.

  • Long term solutions are twofold: new installation (preferred) or upgrade (not preferred, not extensively tested).

1 - preferred - New installation

The preferred way is to nuke your RedELK install and install at least version v2.0.0.0beta5.

2 - less preferred - upgrade your existing install

Warning, upgrading RedELK was never supported and never thought of. RedELK installs should not existing beyond a single operation, most likely at max a few months.

However, due to log4shell, we tried to see if upgrading is possible without breaking too much.

On your elkserver:

  • Stop all redelk docker images: docker stop $(docker ps -a -q --filter="name=redelk")
  • Set the right RedELK version: In file /elkserver/.env set REDELKVERSION=v2.0.0-beta.5
  • Disable Kibana app installation: In file /elkserver/docker/redelk-kibana/Dockerfile comment out the last line to disable the installation of the Kibana RedELK app. Should read like #RUN /usr/share/kibana/bin/kibana-plugin install https:/github.com/fastlorenzo/redelk-kibana-app/releases/download/v0.3.0/redelk-7.10.0.zip
  • In your docker-compose.yml, update the used Neo4j image version of the 'bloodhound' container to 4.4.3, i.e.: image: neo4j:4.4.3
  • run docker-compose pull, to pull the new image versions
  • run docker-compose up -d
  • Wait several minutes for docker-compose to complete. It could take a while before all containers are fully up and running.
  • Browse to your Kibana RedELK interface. This should work. If not, wait some more and maybe check the docker logs. You can safely ignore the error on serverbaseUrl (or something like that).

On all your c2 servers and redirectors:

  • Make a backup of your filebeat config: cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.backupredelkupgrade
  • stop the filebeat service: service filebeat stop
  • upgrade filebeat to 7.16.3: apt-get update && apt-get install filebeat="7.16.3"
  • If apt asks to overwrite the filebeat config file, say No. If apt did it anyway, well, you still got your backup config file.
  • Start the filebeat service: service filebeat start

You can check that new events are coming in on your RedELK server by looking for agent.version fields containing 7.16.3