UPDATE 14 December 2021
Some News: For PRO users using Elasticsearch and Kibana, Elastic team said:
Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage.
Source: Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack
So Elasticsearch and Kibana are not susceptible of RCE vulnerability (OpenVidu uses 7.8.0 version since version 2.16.0). In any case, if you feel paranoid you can use this environment in
/opt/openvidu/.env and you should be fine:
ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms2048m -Xmx2048m
UPDATE 16 December 2021
Now it seems like
-DDlog4j2.formatMsgNoLookups=true its not enough to cover all attack vectors. The good news its like Elastic said in another blog that Elasticsearch is not susceptible of such attacks to be executed.
Yesterday a new CVE-2021-45046 has been discovered, and also the parameter
-Dlog4j2.formatMsgNoLookups=true seems to not cover all attack vectors.
I’ve created a patch to still using Elasicsearch 7.6.2 or 7.8.0 so this new CVE is also covered.
You just need to replace the docker image used in your deployment in
If your deployment is using 7.8.0 you can replace the docker image to a new one patched:
- image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
+ image: openvidu/openvidu-elasticsearch:7.8.0
…or if you are using 7.6.2
- image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2
+ image: openvidu/openvidu-elasticsearch:7.6.2
This image is exactly the same as the official one from elasticsearch, but a patch is being applied. You can check how images are patched here:
The log4j version is updated directly in the image.
Elasticsearch recommends to update to version 7.16.2, but, we can’t enforce such upgrade because this would break compatibility with AWS OpenSearch, metricbeat and filebeat.
I want to clarify that this is just an additional protection for Elasticsearch, but at the moment and regarding what Elastic team says, Elasticsearch is not compromised. This is just a patch to cover for current and future CVEs related with JNDI lookups and log4j… An additional protection just in case.