elasticsearch修补log4j漏洞

• 此次实验的elasticsearch版本为7.5.1和7.10.1

下载log4j最新版jar包

# wget https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/log4j-api-2.15.0.jar
# wget https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar

rpm包安装的es7修补log4j漏洞过程

• 备份es原有log4j包

# mdir /opt/log4j
# cp /usr/share/elasticsearch/lib/log4j-*.jar /opt/log4j

• 替换es的log4j包到最新版本

# cp log4j-*.jar /usr/share/elasticsearch/lib/
# rm -f /usr/share/elasticsearch/lib/log4j-*2.11.1.jar

• 在es的jvm.options文件末尾添加 -Dlog4j2.formatMsgNoLookups=true

# vim /etc/elasticsearch/jvm.options
-Dlog4j2.formatMsgNoLookups=true  

• 重启es服务并测试

# systemctl restart elasticsearch
# curl -XGET localhost:9200

源码包安装的es7修补log4j漏洞过程

• 备份es原有log4j包

# mkdir /opt/log4j
# cp /usr/local/elasticsearch-7.5.1/lib/log4j-*.jar /opt/log4j/
# ls /opt/log4j/

• 替换es的log4j包到最新版本（源码安装的es不能用root启动，需要创建子用户，我创建的子用户名称为：user-es）

# cp log4j-*.jar /usr/local/elasticsearch-7.5.1/lib/
# rm -f /usr/local/elasticsearch-7.5.1/lib/log4j-*2.11.1.jar
# chown user-es: /usr/local/elasticsearch-7.5.1/lib/*

• 在es的jvm.options文件末尾添加 -Dlog4j2.formatMsgNoLookups=true

# vim /usr/local/elasticsearch-7.5.1/config/jvm.options
-Dlog4j2.formatMsgNoLookups=true

• 重启es服务

# su - user-es
$ ps aux|grep elastic
user-es   7093  2.5 19.8 6609416 1584568 pts/0 Sl   15:25   4:49 /usr/local/elasticsearch-7.5.1/jdk/bin/java...
$ kill 7093
$ ps aux|grep elastic
user-es  29541  0.0  0.0 115924  1000 pts/0    S+   18:33   0:00 grep --color=auto elastic
$ /usr/local/elasticsearch-7.5.1/bin/elasticsearch -d
$ ps aux|grep elastic

• 查看es状态

# curl -XGET localhost:9200