OpenVidu is not affected by Log4J vulnerability and Elasticsearch additional info (CVE-2021-44228, CVE-2021-45046)

pabloFuente · December 13, 2021, 9:33am

Hello,

We’d like to inform that OpenVidu is NOT affected by Log4J vulnerability (CVE-2021-44228). Neither OpenVidu nor any of its dependencies includes Log4J. There is no need to make any changes to the OpenVidu services configuration.

Best regards.

cruizba · December 14, 2021, 9:39am

UPDATE 14 December 2021
Some News: For PRO users using Elasticsearch and Kibana, Elastic team said:

Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage.
Source: Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack

So Elasticsearch and Kibana are not susceptible of RCE vulnerability (OpenVidu uses 7.8.0 version since version 2.16.0). In any case, if you feel paranoid you can use this environment in /opt/openvidu/.env and you should be fine:

~~ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms2048m -Xmx2048m~~

UPDATE 16 December 2021
Now it seems like -DDlog4j2.formatMsgNoLookups=true its not enough to cover all attack vectors. The good news its like Elastic said in another blog that Elasticsearch is not susceptible of such attacks to be executed.

Yesterday a new CVE-2021-45046 has been discovered, and also the parameter -Dlog4j2.formatMsgNoLookups=true seems to not cover all attack vectors.

I’ve created a patch to still using Elasicsearch 7.6.2 or 7.8.0 so this new CVE is also covered.
You just need to replace the docker image used in your deployment in /opt/openvidu/.env:

If your deployment is using 7.8.0 you can replace the docker image to a new one patched:

...
elasticsearch:
-       image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
+       image: openvidu/openvidu-elasticsearch:7.8.0
        restart: always
        environment:
...

…or if you are using 7.6.2

...
elasticsearch:
-       image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2
+       image: openvidu/openvidu-elasticsearch:7.6.2
        restart: always
        environment:
...

This image is exactly the same as the official one from elasticsearch, but a patch is being applied. You can check how images are patched here:

The log4j version is updated directly in the image.

Elasticsearch recommends to update to version 7.16.2, but, we can’t enforce such upgrade because this would break compatibility with AWS OpenSearch, metricbeat and filebeat.

I want to clarify that this is just an additional protection for Elasticsearch, but at the moment and regarding what Elastic team says, Elasticsearch is not compromised. This is just a patch to cover for current and future CVEs related with JNDI lookups and log4j… An additional protection just in case.

Best Regards

Topic		Replies	Views
Elasticsearch and Kibana are now business risks Request for enhancement	3	418	March 13, 2021
Unable to view sessions logs from the OpenVidu inspector Issues with deployment	4	322	April 25, 2022
There was an error on my Kibana dashboard, what should I do? Issues with deployment	6	2166	July 15, 2020
On Premises Pro Deployment Kibana Issues (openvidu-server_1 \| Waiting for kibana in 'http://127.0.0.1/kibana' 'URL'.) Issues with deployment	11	654	June 15, 2022
Saving of opnevidu logs and elastic search password Issues with deployment	1	377	December 16, 2020

OpenVidu is not affected by Log4J vulnerability and Elasticsearch additional info (CVE-2021-44228, CVE-2021-45046)

Related Topics