Fix CVE-2021-4104

Miguel Angel · mamedin · commit f832b52355a1 · 2021-12-14T17:46:35.000+01:00
To fix this log4j security issue:

    * ES v1.7.x: The JMSAppender.class is deleted
    * ES v5.x: No action required
    * ES v6.x: No action required
diff --git a/tasks/cve-2021-4104-patch.yml b/tasks/cve-2021-4104-patch.yml
@@ -0,0 +1,23 @@
+---
+- name: "Install zip package"
+  become: "yes"
+  package:
+    name: "zip"
+    state: "present"
+
+- name: "Check if JMSAppender.class has been removed"
+  become: "yes"
+  shell:
+    cmd: "unzip -l log4j-*.jar | grep JMSAppender.class"
+    chdir: "/usr/share/elasticsearch/lib"
+  register: "__jmsappender_class"
+  failed_when: "__jmsappender_class.rc not in [ 0, 1 ]"
+
+- name: "Remove JMSAppender.class"
+  become: "yes"
+  shell:
+    cmd: "zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class"
+    chdir: "/usr/share/elasticsearch/lib"
+  when:
+    - "__jmsappender_class.rc == 0"
+  notify: "Restart Elasticsearch"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -129,6 +129,13 @@
   tags:
     - "cve-2021-44228-patch"
 
+# Patch ES version 1.x for cve-2021-4104-vulnerability
+- include: cve-2021-4104-patch.yml
+  when:
+    - elasticsearch_version is version_compare('2.0', '<')
+  tags:
+    - "cve-2021-4104-patch"
+
 # Register Elasticsearch service to start on boot
 - name: Ensure Elasticsearch is started on boot
   service: name=elasticsearch enabled={{ elasticsearch_service_startonboot }} state={{ elasticsearch_service_state }}
