Last active
December 23, 2021 21:02
-
-
Save jdratlif/46ac9070387d96cc8855a4cd775ad798 to your computer and use it in GitHub Desktop.
bash script to update elasticsearch and logstash log4j to 2.17.0 to address log4shell and DoS in 2.x vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| if [[ -z $LOG4J_VERSION ]]; then | |
| LOG4J_VERSION=2.17.0 | |
| fi | |
| ################################################################################ | |
| # cleanup handler | |
| function cleanup { | |
| test -d $TEMPDIR && echo $TEMPDIR | grep '^/tmp/' > /dev/null 2>&1 && rm -rf $TEMPDIR | |
| } | |
| ################################################################################ | |
| # make temp paths and register cleanup handler | |
| TEMPDIR=$(mktemp -d) | |
| trap cleanup EXIT | |
| ################################################################################ | |
| # default to elasticsearch if no ELK variable exists | |
| if [[ -z $ELK ]]; then | |
| ELK="elasticsearch" | |
| fi | |
| ################################################################################ | |
| # bail if ELK is not elasticsearch or logstash -- that's all we can handle | |
| if [[ $ELK = "elasticsearch" ]]; then | |
| LOG4J_PATH="/usr/share/elasticsearch" | |
| elif [[ $ELK = "logstash" ]]; then | |
| LOG4J_PATH="/usr/share/logstash" | |
| else | |
| echo "ELK must be either 'elasticsearch' or 'logstash'" | |
| exit 1 | |
| fi | |
| ################################################################################ | |
| # if we can't find the ELK path, bail | |
| if [ ! -d $LOG4J_PATH ]; then | |
| echo "$LOG4J_PATH does not exist. Are you sure this server runs ${ELK}?" | |
| exit 1 | |
| fi | |
| ################################################################################ | |
| # make sure we have curl or wget | |
| CURL_BIN=$(which curl 2> /dev/null) | |
| if [[ $? -eq 0 ]]; then | |
| HAS_CURL=true | |
| else | |
| HAS_CURL=false | |
| fi | |
| WGET_BIN=$(which wget 2> /dev/null) | |
| if [[ $? -eq 0 ]]; then | |
| HAS_WGET=true | |
| else | |
| HAS_WGET=false | |
| fi | |
| if ! ($HAS_CURL || $HAS_WGET); then | |
| echo "No curl or wget found in path. This script requires one of them." | |
| exit 1 | |
| fi | |
| ################################################################################ | |
| # are we running in live mode or dry-run? | |
| if [[ $1 = "--live" ]]; then | |
| LIVE=true | |
| else | |
| LIVE=false | |
| fi | |
| if $LIVE; then | |
| echo "This is a live run" | |
| else | |
| echo "This is not a live run; no changes will be made." | |
| fi | |
| echo | |
| ################################################################################ | |
| # find affected log4j jars and list them | |
| log4j=$(find $LOG4J_PATH 2> /dev/null | grep -E 'log4j(-[a-z0-9]*)*-2\.[0-9]*\.[0-9]\.jar$') | |
| if [[ $? -ne 0 ]]; then | |
| echo "No files were found in $LOG4J_PATH" | |
| exit 0 | |
| fi | |
| echo "Found the following log4j jar files..." | |
| echo "--------------------------------------------------------------------------------" | |
| for file in $log4j | |
| do | |
| echo $file | |
| done | |
| echo | |
| ################################################################################ | |
| # backup the current elk path | |
| if $LIVE; then | |
| TEMP_BACKUP=$(mktemp --suffix=.tar.gz) | |
| echo "Creating backup of $LOG4J_PATH in $TEMP_BACKUP" | |
| echo | |
| cmd="sudo tar czf $TEMP_BACKUP $LOG4J_PATH 2>/dev/null" | |
| echo "$cmd" | |
| echo | |
| echo "Please wait..." | |
| eval $cmd | |
| if [[ $? -ne 0 ]]; then | |
| echo "Unable to create backup of $LOG4J_PATH" | |
| exit 1 | |
| fi | |
| echo | |
| fi | |
| ################################################################################ | |
| # fetch log4j version from apache | |
| if $LIVE; then | |
| echo "Fetching the updated apache log4j $LOG4J_VERSION package" | |
| echo | |
| FILENAME="apache-log4j-${LOG4J_VERSION}-bin.tar.gz" | |
| ARCHIVE="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${FILENAME}" | |
| SHA512="${ARCHIVE}.sha512" | |
| pushd $TEMPDIR | |
| if $HAS_CURL; then | |
| curl -O $ARCHIVE | |
| curl -O $SHA512 | |
| else | |
| wget $ARCHIVE | |
| wget $SHA512 | |
| fi | |
| echo | |
| echo | |
| TARBALL=${TEMPDIR}/${FILENAME} | |
| APACHE_SHA512=${TARBALL}.sha512 | |
| LINUX_SHA512=${TARBALL}.sha512.linux | |
| cat $APACHE_SHA512 | tr -d '\n' | sed -E -e 's/\s*//g' -e 's/^('${FILENAME}'):([A-F0-9]*)/\2\t\1/g' > $LINUX_SHA512 | |
| echo "Verifying the archive SHA512 sum" | |
| sha512sum -c $LINUX_SHA512 | |
| if [[ $? -ne 0 ]]; then | |
| echo "SHA512 sum does not match expected value" | |
| exit 1 | |
| fi | |
| echo "Extracting the archive to $TEMPDIR" | |
| tar xzf $TARBALL > /dev/null 2>&1 | |
| if [[ $? -ne 0 ]]; then | |
| echo "Unable to extract archive" | |
| exit 1 | |
| fi | |
| popd | |
| echo | |
| fi | |
| ################################################################################ | |
| # replace old log4j versions | |
| COUNT=0 | |
| for file in $log4j | |
| do | |
| dir=$(dirname $file) | |
| base=$(basename $file) | |
| newfile=$(echo $base | sed -E -e 's/2\.[0-9]*\.[0-9]/'${LOG4J_VERSION}'/') | |
| path_newfile="${TEMPDIR}/apache-log4j-${LOG4J_VERSION}-bin/${newfile}" | |
| if $LIVE; then | |
| if [ ! -f $path_newfile ]; then | |
| echo "Unable to find replacement library ${path_newfile}" | |
| continue | |
| fi | |
| fi | |
| echo "--------------------------------------------------------------------------------" | |
| echo $file | grep -E 'log4j(-[a-z0-9]*)*-'${LOG4J_VERSION}'\.jar$' > /dev/null 2>&1 | |
| if [[ $? -eq 0 ]]; then | |
| echo "$file has already been updated to $LOG4J_VERSION" | |
| else | |
| COUNT=$(expr $COUNT + 1) | |
| echo "Replacing $file with $path_newfile" | |
| echo | |
| cmd="sudo rm -f $file" | |
| echo "$cmd" | |
| $LIVE && eval $cmd | |
| cmd="sudo cp -f ${TEMPDIR}/apache-log4j-${LOG4J_VERSION}-bin/${newfile} ${dir}" | |
| echo "$cmd" | |
| $LIVE && eval $cmd | |
| ############################################################################ | |
| # ruby gems need their paths and dependency files updated, too | |
| GEM_PATH=$(echo $file | grep -o -E '(/[^/]*)*/gems/[^/]*') | |
| if [ ! -z $GEM_PATH ]; then | |
| echo | |
| echo "Found ruby GEM $GEM_PATH" | |
| echo | |
| jar_dir=$(dirname $file) | |
| new_jar_dir=$(echo $jar_dir | sed -E -e 's/2\.[0-9]*\.[0-9]$/'${LOG4J_VERSION}'/') | |
| echo "Renaming ${jar_dir} to ${new_jar_dir}" | |
| echo | |
| cmd="sudo mv '${jar_dir}' '${new_jar_dir}'" | |
| echo "$cmd" | |
| $LIVE && eval $cmd | |
| echo | |
| GEM_PATH="${GEM_PATH}/lib" | |
| rb_files=$(find $GEM_PATH -maxdepth 2 -iname "*.rb") | |
| for rb_file in $rb_files | |
| do | |
| echo "Fixing ruby dependency file $rb_file" | |
| echo | |
| cmd="sudo sed -E -i.bak -e '/org.apache.logging.log4j/ s/2\.[0-9]*\.[0-9]/'${LOG4J_VERSION}'/' $rb_file" | |
| echo "$cmd" | |
| if $LIVE; then | |
| eval $cmd | |
| cmd="diff -u ${rb_file}.bak $rb_file" | |
| echo "$cmd" | |
| echo | |
| eval $cmd | |
| fi | |
| done | |
| fi | |
| fi | |
| echo "--------------------------------------------------------------------------------" | |
| echo | |
| done | |
| ################################################################################ | |
| # tell the user what happened and the location of the backup path | |
| if $LIVE; then | |
| echo "Updated $COUNT log4j libraries" | |
| echo | |
| echo "--------------------------------------------------------------------------------" | |
| echo "A backup of $LOG4J_PATH has been saved in $TEMP_BACKUP if you need to revert." | |
| echo "You can delete this file if everything looks okay" | |
| echo "Don't forget to restart your elasticsearch or logstash process now" | |
| echo "--------------------------------------------------------------------------------" | |
| echo | |
| fi |
Thanks! Quick usage update:
Dry Run
ELK=elasticsearch bash fix-elk-log4j.sh
ELK=logstash bash fix-elk-log4j.sh
Actually Make Changes
ELK=elasticsearch bash fix-elk-log4j.sh --live
ELK=logstash bash fix-elk-log4j.sh --live
The script has been updated to add more flexibility.
- allows version of LOG4J other than 2.16.0 (change LOG4J_VERSION in script or define in environment)
- verifies SHA512 checksum
- can use curl or wget
- no longer requires unzip
- updates all log4j 2 versions, not just 2.10-2.15 (to address DoS fixed by 2.17.0)
Sample outputs from a live run. These are from CentOS 7 servers running OpenDistro for Elasticsearch 1.13.2.
Elasticsearch
This is a live run
Found the following affected log4j jar files...
--------------------------------------------------------------------------------
/usr/share/elasticsearch/lib/log4j-api-2.16.0.jar
/usr/share/elasticsearch/lib/log4j-core-2.16.0.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.16.0.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.16.0.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.16.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.16.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.16.0.jar
Creating backup of /usr/share/elasticsearch in /tmp/tmp.KGIaGFfkLf.tar.gz
[sudo tar czf /tmp/tmp.KGIaGFfkLf.tar.gz /usr/share/elasticsearch 2>/dev/null]
Please wait...
Fetching the updated apache log4j 2.17.0 package as /tmp/tmp.nJeZDFW2J8.zip
Extracting the archive to /tmp/tmp.8nfDS7jajw
/tmp/tmp.8nfDS7jajw ~
~
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/lib/log4j-api-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/lib/log4j-api-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/elasticsearch/lib]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/lib/log4j-core-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/lib/log4j-core-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar /usr/share/elasticsearch/lib]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-slf4j-impl-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-slf4j-impl-2.17.0.jar /usr/share/elasticsearch/plugins/opendistro_security]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/elasticsearch/performance-analyzer-rca/lib]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.16.0.jar with /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar
[sudo rm -f /usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.16.0.jar]
[sudo cp -f /tmp/tmp.8nfDS7jajw/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar /usr/share/elasticsearch/performance-analyzer-rca/lib]
--------------------------------------------------------------------------------
Updated 7 log4j libraries
--------------------------------------------------------------------------------
A backup of /usr/share/elasticsearch has been saved in /tmp/tmp.KGIaGFfkLf.tar.gz if you need to revert.
You can delete this file if everything looks okay
Don't forget to restart your elasticsearch or logstash process now
--------------------------------------------------------------------------------
Logstash
This is a live run
Found the following affected log4j jar files...
--------------------------------------------------------------------------------
/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.16.0.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.16.0.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-jcl-2.16.0.jar
/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.16.0.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1/log4j-slf4j-impl-2.9.1.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
Creating backup of /usr/share/logstash in /tmp/tmp.mmDp4kglCZ.tar.gz
[sudo tar czf /tmp/tmp.mmDp4kglCZ.tar.gz /usr/share/logstash 2>/dev/null]
Please wait...
Fetching the updated apache log4j 2.17.0 package as /tmp/tmp.EaELa3iK9i.zip
Extracting the archive to /tmp/tmp.Eb1Ymm0Mke
/tmp/tmp.Eb1Ymm0Mke ~
~
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/logstash-core/lib/jars/log4j-api-2.16.0.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/logstash/logstash-core/lib/jars/log4j-api-2.16.0.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/logstash/logstash-core/lib/jars]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.16.0.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar
[sudo rm -f /usr/share/logstash/logstash-core/lib/jars/log4j-core-2.16.0.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar /usr/share/logstash/logstash-core/lib/jars]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/logstash-core/lib/jars/log4j-jcl-2.16.0.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-jcl-2.17.0.jar
[sudo rm -f /usr/share/logstash/logstash-core/lib/jars/log4j-jcl-2.16.0.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-jcl-2.17.0.jar /usr/share/logstash/logstash-core/lib/jars]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1]
Found ruby GEM /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3
Renaming /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1 to /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.0
[sudo mv '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1' '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.0']
Fixing ruby dependency file /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb
[sudo sed -E -i.bak -e '/org.apache.logging.log4j/ s/2\.[0-9]*\.[0-9]/'2.17.0'/' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb][diff -u /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb.bak /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb]
--- /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb.bak 2021-03-18 05:39:23.000000000 +0000
+++ /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb 2021-12-23 18:49:20.402567255 +0000
@@ -3,9 +3,9 @@
require 'jar_dependencies'
require_jar('com.google.code.gson', 'gson', '2.8.5')
require_jar('org.apache.qpid', 'proton-j', '0.33.3')
-require_jar('org.apache.logging.log4j', 'log4j-slf4j-impl', '2.9.1')
+require_jar('org.apache.logging.log4j', 'log4j-slf4j-impl', '2.17.0')
require_jar('com.microsoft.azure', 'azure-eventhubs', '2.2.0')
require_jar('com.microsoft.azure', 'qpid-proton-j-extensions', '1.1.0')
require_jar('com.microsoft.azure', 'azure-eventhubs-eph', '2.4.0')
require_jar('com.microsoft.azure', 'azure-storage', '8.0.0')
-require_jar('org.apache.logging.log4j', 'log4j-api', '2.9.1')
+require_jar('org.apache.logging.log4j', 'log4j-api', '2.17.0')
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1/log4j-slf4j-impl-2.9.1.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-slf4j-impl-2.17.0.jar
[sudo rm -f /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1/log4j-slf4j-impl-2.9.1.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-slf4j-impl-2.17.0.jar /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1]
Found ruby GEM /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3
Renaming /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1 to /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0
[sudo mv '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1' '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0']
Fixing ruby dependency file /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb
[sudo sed -E -i.bak -e '/org.apache.logging.log4j/ s/2\.[0-9]*\.[0-9]/'2.17.0'/' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb][diff -u /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb.bak /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.2.3/lib/logstash-input-azure_event_hubs.rb]
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0]
Found ruby GEM /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java
Renaming /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0 to /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.0
[sudo mv '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0' '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.0']
Fixing ruby dependency file /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/lib/logstash-input-beats_jars.rb
[sudo sed -E -i.bak -e '/org.apache.logging.log4j/ s/2\.[0-9]*\.[0-9]/'2.17.0'/' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/lib/logstash-input-beats_jars.rb]
[diff -u /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/lib/logstash-input-beats_jars.rb.bak /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/lib/logstash-input-beats_jars.rb]
--- /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/lib/logstash-input-beats_jars.rb.bak 2021-12-22 18:13:37.000000000 +0000
+++ /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.1.0-java/lib/logstash-input-beats_jars.rb 2021-12-23 18:49:20.585573862 +0000
@@ -7,5 +7,5 @@
require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.10')
require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.10.4')
require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.10')
-require_jar('org.apache.logging.log4j', 'log4j-api', '2.16.0')
+require_jar('org.apache.logging.log4j', 'log4j-api', '2.17.0')
require_jar('org.logstash.beats', 'logstash-input-beats', '6.1.0')
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Replacing /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar with /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar
[sudo rm -f /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar]
[sudo cp -f /tmp/tmp.Eb1Ymm0Mke/apache-log4j-2.17.0-bin/log4j-api-2.17.0.jar /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0]
Found ruby GEM /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java
Renaming /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0 to /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.0
[sudo mv '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.16.0' '/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.0']
Fixing ruby dependency file /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/lib/logstash-input-http_jars.rb
[sudo sed -E -i.bak -e '/org.apache.logging.log4j/ s/2\.[0-9]*\.[0-9]/'2.17.0'/' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/lib/logstash-input-http_jars.rb]
[diff -u /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/lib/logstash-input-http_jars.rb.bak /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/lib/logstash-input-http_jars.rb]
--- /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/lib/logstash-input-http_jars.rb.bak 2021-12-22 18:13:37.000000000 +0000
+++ /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.7-java/lib/logstash-input-http_jars.rb 2021-12-23 18:49:20.674577074 +0000
@@ -2,5 +2,5 @@
require 'jar_dependencies'
require_jar('io.netty', 'netty-all', '4.1.49.Final')
-require_jar('org.apache.logging.log4j', 'log4j-api', '2.16.0')
+require_jar('org.apache.logging.log4j', 'log4j-api', '2.17.0')
require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.3.7')
--------------------------------------------------------------------------------
Updated 8 log4j libraries
--------------------------------------------------------------------------------
A backup of /usr/share/logstash has been saved in /tmp/tmp.mmDp4kglCZ.tar.gz if you need to revert.
You can delete this file if everything looks okay
Don't forget to restart your elasticsearch or logstash process now
--------------------------------------------------------------------------------
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dry Run
Actually Make Changes
Edit: Fixed the instructions after seeing @jafolkerts comments. Thanks.