Question

Solved1.87K views13th December 2021

5

Jason Boon [SLC] [DevOps Member]320 12th December 2021 1 Comment

Hi,

May I please confirm that adding the JVM option -Dlog4j2.formatMsgNoLookups=true to Elastic Search installations to address the recently reported log4j vulnerability is an acceptable immediate/short term solution?

Gellynck Jens [SLC] Answered question 13th December 2021

Bing Herng Chong [SLC] [DevOps Advocate] commented 13th December 2021

To add to the context of this question, we are aware that there are multiple users of DataMiner who have raised questions regarding this security vulnerability for both DataMiner 9.6 and 10.1 in their production deployments. More info regarding the vulnerability found here https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

Some guidance of the applicability of this security vulnerability to DataMiner infrastructure (core software and any other third-party software e.g.: databases MSSQL, ES, Cassandra, etc) is requested.

3 Answers

You are viewing 1 out of 3 answers, click here to view all answers.

To add to the context of this question, we are aware that there are multiple users of DataMiner who have raised questions regarding this security vulnerability for both DataMiner 9.6 and 10.1 in their production deployments. More info regarding the vulnerability found here https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

Some guidance of the applicability of this security vulnerability to DataMiner infrastructure (core software and any other third-party software e.g.: databases MSSQL, ES, Cassandra, etc) is requested.

score 2 · Answer 1 · 2021-12-13T09:42:37+00:00

2

Thomas Deweer [SLC]286 Posted 13th December 2021 0 Comments

Hello,

As mentioned on the official Elastic blog website, this indeed is a way to prevent the exploit.

Kind regards,

Jason Boon [SLC] [DevOps Member] Selected answer as best 13th December 2021

Elastic Search CVE-2021-44228 log4j2 RCE Vulnerability

3 Answers