A zero-day vulnerability impacting version 2.0 <= 2.14.1 of the Apache Log4j 2 package was originally disclosed to the public on December 9, 2021. As a result, Graylog took action to patch instances 3.3.15, 4.0.14, 4.1.9, and 4.2.3. However, another patch was released shortly afterward to curb additional vulnerabilities in Log4j. The service has since been upgraded to 2.16.0.

Log4j patched a new CVE-2021-45046 vulnerability to prevent a potential DOS attack. That is why the Graylog team decided to publish new 4.2.x, 4.1.x, 4.0.x, and 3.3.x releases that ship with Log4j 2.16.0.

In this guide, we’ll provide you with all the necessary steps to upgrade/update instances of both Graylog Server and the Forwarder.

Graylog On-prem Update - OS Packages

The commands below apply to the operating system on which you have installed Graylog.

Debian

Copy
sudo apt-get update

# NOTE: When performing the next step you might receive a prompt to update the server.conf file. Do not overwrite (select N). You have custom configurations you need to preserve. If you overwrite you risk taking down your Graylog instance altogether!
sudo apt-get install graylog-server 

# Or if you installed “graylog-enterprise” instead of “graylog-server”
sudo apt-get install graylog-enterprise

sudo systemctl restart graylog-server.service

RPM

Copy
sudo yum install --refresh graylog-server

# Or if you installed “graylog-enterprise” instead of “graylog-server”
sudo yum install --refresh graylog-enterprise

sudo systemctl restart graylog-server.service

Forwarder Update - OS Packages​

The following commands assume that the OS package repository files have
been installed according to your Forwarder installation instructions.​

Debian

This updates the package repository metadata to get access to the latest
package versions and installs the latest version.

Copy
​sudo apt-get update

# NOTE: When performing the next step you might receive a prompt to update your server.conf. Do not overwrite (e.g. select N). You have custom configurations you need to preserve. If you overwrite you risk taking down your Graylog instance altogether!
sudo apt-get install graylog-forwarder

sudo systemctl restart graylog-forwarder.service

RPM

This provides updates to the latest version and also forces a metadata refresh to get
access to the latest package versions.

Copy
sudo yum update --refresh graylog-forwarder
sudo systemctl restart graylog-forwarder.service

ElasticSearch (ES)

Warning: Elasticsearch 7.11 and higher is not supported in your Graylog instance. If you upgrade to that version Graylog will break!

Elastic is affected by this vulnerability, as discussed in their forum post.

Affected Versions of ES

Elasticsearch versions 5.0.0+ contain a vulnerable version of Log4j. Our team confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7. An investigation is still underway for Elasticsearch 5.

ES Solutions and Mitigations

For Elasticsearch, add this JVM option:

Copy
-Dlog4j2.formatMsgNoLookups=true

For instructions on setting JVM configuration, review the steps in Elastic’s JVM options chapter.

Docker Compose

Ensure you add the -Dlog4j2.formatMsgNoLookups=true option within the Elasticsearch configuration of your docker-compose.yaml configuration file.

For example:

Copy
elasticsearch:
   image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
   environment:
     - http.host=0.0.0.0
     - transport.host=localhost
     - network.host=0.0.0.0
     - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms4096m -Xmx4096m"