Skip to main content

Upgrade Graylog Against Log4Shell

About​

A zero-day vulnerability impacting version 2.0 <= 2.14.1 of the Apache Log4j 2 package was originally disclosed to the public on December 9, 2021. As a result, Graylog took action to patch instances 3.3.15, 4.0.14, 4.1.9, and 4.2.3. However, another patch was released shortly afterward to curb additional vulnerabilities in Log4j. The service has since been upgraded to 2.16.0.

Log4j patched a new CVE-2021-45046 vulnerability to prevent a potential DOS attack. That is why the Graylog team decided to publish new 4.2.x, 4.1.x, 4.0.x, and 3.3.x releases that ship with Log4j 2.16.0.

In this guide, we’ll provide you with all the necessary steps to upgrade/update instances of both Graylog Server and the Forwarder.

Graylog On-prem Update - OS Packages​

The commands below apply to the operating system on which you have installed Graylog.

Debian​

sudo apt-get update

# NOTE: When performing the next step you might receive a prompt to update the server.conf file. Do not overwrite (select N). You have custom configurations you need to preserve. If you overwrite you risk taking down your Graylog instance altogether!
sudo apt-get install graylog-server 

# Or if you installed “graylog-enterprise” instead of “graylog-server”
sudo apt-get install graylog-enterprise

sudo systemctl restart graylog-server.service

RPM​

sudo yum install --refresh graylog-server

# Or if you installed “graylog-enterprise” instead of “graylog-server”
sudo yum install --refresh graylog-enterprise

sudo systemctl restart graylog-server.service

Forwarder Update - OS Packages​​

The following commands assume that the OS package repository files have been installed according to your Forwarder installation instructions.​

Debian​

This updates the package repository metadata to get access to the latest package versions and installs the latest version.

​sudo apt-get update

# NOTE: When performing the next step you might receive a prompt to update your server.conf. Do not overwrite (e.g. select N). You have custom configurations you need to preserve. If you overwrite you risk taking down your Graylog instance altogether!
sudo apt-get install graylog-forwarder

sudo systemctl restart graylog-forwarder.service

RPM​

This provides updates to the latest version and also forces a metadata refresh to get access to the latest package versions.

sudo yum update --refresh graylog-forwarder
sudo systemctl restart graylog-forwarder.service

ElasticSearch (ES)​

Warning:

Elasticsearch 7.11 and higher is not supported in your Graylog instance. If you upgrade to that version Graylog will break!

Elastic is affected by this vulnerability, as discussed in their forum post.

Affected Versions of ES​

Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. Our team confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7. An investigation is still underway for Elasticsearch 5.

ES Solutions and Mitigations​

For Elasticsearch, add this JVM option:

-Dlog4j2.formatMsgNoLookups=true

For instructions on setting JVM configuration, review the steps in Elastic’s JVM options chapter.

Docker Compose​

Ensure you add the -Dlog4j2.formatMsgNoLookups=true option within the Elasticsearch configuration of your docker-compose.yaml configuration file.

For example:

elasticsearch:
   image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
   environment:
     - http.host=0.0.0.0
     - transport.host=localhost
     - network.host=0.0.0.0
     - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms4096m -Xmx4096m"