most of Zammad instances make use of Elasticsearch.
Please note that a 0day appeared in log4j-* modules (Java) which indirectly may affect Elasticsearch.
The current suggested workaround is to create a new file nolog4j0day.options within /etc/elasticsearch/jvm.options.d/ that contains the following string
-Dlog4j2.formatMsgNoLookups=true
Don’t forget restarting your Elasticsearch service.
Please note that the workaround may be different for docker users.
Update
Application and source code users:
Please update your Elasticsearch version to 7.16.1 if not done already.
According to Elastic this version is no longer affected by log4j.
Don’t forget the attachment plugin-reinstallation hint hint.
Above provided workaround is no longer required.
docker-compose users
Please update to compose tag 5.0.3-7 or later.
Starting 5.0.3-7 the Elasticsearch version being used is 7.16.1.
helm-chart users
Helm-chart version zammad-6.0.2 contains Zammad 5.0.3 together with Elasticsearch 7.16.1.
Please update to the latest possible helm-chart version as soon as possible.
# Connect to your Zammad server
ssh myuser@myzammadserver -i ~/.ssh/mysshkey
# Go to Zammad folder
cd /opt/zammad
## create a file INSIDE the running elasticsearch docker container in /usr/share/elasticsearch/config/jvm.options.d/nolog4j0day.options
docker exec zammad_zammad-elasticsearch_1 bash -c "echo '-Dlog4j2.formatMsgNoLookups=true' > /usr/share/elasticsearch/config/jvm.options.d/nolog4j0day.options"
# restart ES Service
docker-compose stop zammad-elasticsearch
docker-compose start zammad-elasticsearch
## Verify that formatMsgNoLookups=true is in the output
ps auxfww | grep formatMsgNoLookups=true
I think the approach with the .options-file/jvm.options.d/nolog4j0day.options is additive: options are added to existing defaults.
But maybe Zammad people can clarify.
btw by now Elastic noted that Elasticsearch 6.8.x and 7.2+ are not affected by above noted CVE.
Above mentioned steps and workarounds may still be a safety measure for your better sleep.
It has no negative effect on your Zammad instance together with Elasticsearch.
@MrGeneration Thanks for your heads up here like usual
But please update the mitigation hint to check JVM option at runtime.
On Ubuntu /etc/elasticsearch/jvm.options.d/ might not work!
The workaround is now included in the 7.16.1 release, packages and docker images already available:
Users may upgrade to Elasticsearch 7.16.1 27 or 6.8.21 16, which were released on December 13, 2021. These releases do not upgrade the Log4j package, but mitigate the vulnerability by setting the JVM option 2.3k -Dlog4j2.formatMsgNoLookups=true and remove the vulnerable JndiLookup class from the Log4j package.
but beware on that one:
Note: In both of these scenarios, some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, any of the above mitigations sufficiently protect both remote code execution and information leakage.
Elasticsearch is now available in version 7.16.1 in all repos (last state as per yesterday night).
Please see my first post on more input on all versions.
I’ll update this thread again as soon as we have helm-chart users covered as well.
The documentation and the supported ES versions are up to date and thus not lying to you.
We’re talking about ES security updates and you want to ignore Zammad security issues on that regard? Why not update to a current Zammad 5.0.3 to get the desired ES support and fix all known security issues?