-
Notifications
You must be signed in to change notification settings - Fork 396
Log4Shell
RedELK prior to v2 beta 5 is vulnerable to Log4Shell. This is because:
- Logstash prior to version 7.16.3 is vulnerable.
- Neo4j mage prior to 4.2 is vulnerable
Other components are either not vulnerable or implemented in such a way that they are not exploitable. Well, at least that is what we think after a quick review. The result of the review was either way that we should upgrade, so that is what we did.
** Immediate mitigating measure ** is to disable Logstash on your RedELK server. This way, no new data will come to your RedELK server.
** Long term solutions** are twofold: new installation (preferred) and upgrade (not preferred and not thoroughly tested).
The preferred way is to nuke your RedELK install and install at least version v2.0.00beta5.
Warning, upgrading RedELK was never supported and never thought of. RedELK installs should not existing beyond a single operation, most likely at max a few months.
However, due to log4shell, we tried to see if upgrading is possible without breaking too much.
Warning: you will loose Neo4j and Jupyter notebook functionality. If you are interested in keeping that functionality, you are on your own.
On your elkserver:
- Stop all redelk docker images:
docker stop $(docker ps -a -q --filter="name=redelk") - Set the right RedELK version: In file
/elkserver/.envsetREDELKVERSION=v2.0.0-beta.5 - Disable Kibana app installation: In file
elkserver/docker/redelk-kibana/Dockerfilecomment out the last line to disable the installation of the Kibana RedELK app. Should read like#RUN /usr/share/kibana/bin/kibana-plugin install https:/github.com/fastlorenzo/redelk-kibana-app/releases/download/v0.3.0/redelk-7.10.0.zip - Set docker-compose to the "limited" RedELK option:
rm docker-compose.yml && ln -s redelk-limited.yml docker-compose.yml - run
docker-compose up -d - Wait several minutes for docker-compose to complete. Than wait another few before all the images are properly started.
- Browse to your Kibana RedELK interface. This should work. If not, wait some more and maybe check the docker logs. You can safely ignore the
https://redelkyerror.
On all your c2 servers and redirectors:
- Make a backup of your filebeat config:
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.backupredelkupgrade - stop the filebeat service:
service filebeat stop - upgrade filebeat to 7.16.3:
apt-get update && apt-get install filebeat="7.16.3" - If apt asks to overwrite the filebeat config file, say No. If apt did it anyway, well, you still got your backup config file.
- Start the filebeat service:
service filebeat start
You can check that new events are coming in on your RedELK server by looking for agent.version fields containing 7.16.3