Latest information about the Apache Log4j bugs and if and how it affects Zenarmor are explained below.

Last Update: December 19 1:00pm Pacific Time

This advisory addresses the Zenarmor on OPNsense firewall. For other platforms, zenarmor does not directly manage the installation of Elasticsearch. Please consult with your database administrators on how to take proper actions.

TLDR;

If you're using Zenarmor with the Elasticsearch Reporting Backend (other reporting backends are not affected) on OPNsense firewall, please update your Elasticsearch packages to the 5.6.8_7 release. The new package updates the log4j library with the fixed, recommended version (2.17.0), providing the final solution.

Just head to System -> Firmware -> Updates. Click on Check Updates. You'll see an elasticsearch update reported (From 5.6.8_5 to 5.6.8_7). Run the update and restart the Elasticsearch service from Zenarmor -> Status.

Please read on below if you would like to learn more details.

Background

Several vulnerabilities (CVE-2021-44228, CVE-2021-45046,CVE-2021-45105 ) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly on December 9 through December19, 2021. Log4j is a standard logging library used by many Java applications.

Is Zenarmor Affected?

Core Product: Not affected
Not employing Java

Reporting Backends:

Mongodb Backend: Not affected
Not employing Java

Sqlite Backend: Not affected
Not employing Java

Elasticsearch Backend: Affected, Elasticsearch package update recommended.
Since Elasticsearch is coded in Java and utilizing the aforementioned log4j library, we’re closely monitoring the official updates from the Elastic.co.

Update: December 19 1:00pm PT

Another DoS vulnerability was discovered in log4j library. We've updated the Elasticsearch package to 5.6.8_7 handling all these reported CVEs. Please read below to learn how to update your Elasticsearch Reporting Backend.

Update: December 16 8:00am PT

Elasticsearch updated its advisory, citing Elasticsearch 5.x as also vulnerable. Please read below to learn how to update your Elasticsearch Reporting Backend.

Update: December 13 2:00pm PT

As of now (December 13, 2021), the official announcement is as such:

“Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager, however we are making a fix available for an information leakage attack also associated with this vulnerability.”

Source: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Final Solution:

We advise the following course of action.

We’ve shipped an updated build of Elasticsearch. Please update your Elasticsearch packages to the 5.6.8_7 release. The new package updates the log4j library with the fixed, recommended version (2.17.0), providing the final solution.

This update handles all three reported CVEs. (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

Steps to update (on OPNsense):

  1. Head to System -> Firmware -> Updates. Click on Check Updates. You'll see an elasticsearch update reported (From 5.6.8_5 to 5.6.8_7). Run the update.
  2. Restart the Elasticsearch service from Zenarmor -> Status

You're done.

FAQ:

Does this update handle all three CVEs?

Yes. This update handles all three reported CVEs. (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

Are you going to switch to Elasticsearch 7.x?

Starting with OPNsense 22.1 and/or Zenarmor 1.11, new installations will automatically default to installing Elasticsearch 7.x. For those who have data on Elasticsearh 5.x, we're planning to maintain the Elasticsearch 5.6.x release series for shipping security updates for a year more (till January 2023). Please stay in touch for updates.