A recent disclosure of a severe bug in the log4j library (CVE-2021-44228) has made many web applications vulnerable to compromise. Sandfly Security has performed an audit and has determined we are not vulnerable based on currently known information.
The only potential exposure Sandfly has to the log4j vulnerability is through the one Java-based component in our stack, Elasticsearch. After evaluating our use of Elasticsearch and the versions of software involved, we do not believe the log4j vulnerability affects the version of Elasticsearch we are using.
The Elasticsearch team has provided the following information regarding the core Elasticsearch product, which is the only product we deploy with Sandfly:
Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch on JDK8 or below is susceptible to an information leak via DNS which is fixed by a simple JVM property change. The information leak does not permit access to data within the Elasticsearch cluster.Brian Levine, Elastic Team Member
The version of the Elasticsearch Docker container that the latest version (3.0.5) of Sandfly launches is 7.14.1. This container includes a Java 16 runtime, so the information leak via DNS vulnerability is not applicable.
Based on the information available to us, we do not believe further action is required to protect Sandfly deployments from the log4j vulnerability. Out of an abundance of caution, customers may set the recommended JVM option which disables the vulnerable feature in log4j (the Elasticsearch version we use uses log4j 2.11.1, a version for which this mitigation is applicable).
If you wish to enable mitigations, please edit the file:
Add the following additional environment variable to the Docker run command (e.g. between lines 44 and 45 of the script as it ships with Sandfly 3.0.5):
-e "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true" \
(Note the backslash at the end of the new line to ensure the following lines remain part of the docker run command.)
Version 3.1 of Sandfly is about to be released and contains no Elasticsearch, Java or library dependencies that are vulnerable. Customers concerned about potential exposure to the log4j bug in Elasticsearch can simply upgrade to 3.1 and know they are 100% safe from this bug.
Thank you for your support.