Friday, December 10, 2021

Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

The following components have vulnerable versions of log4j:

  • Elasticsearch
  • Logstash
  • TheHive/Cortex have a separate Elasticsearch instance

For Elasticsearch, Logstash, and the Elasticsearch instance for TheHive/Cortex, we've added the log4j2.formatMsgNoLookups=true option to disable the vulnerable code. It should be noted that TheHive/Cortex includes log4j 2.9.1 but NOT log4j-core-2.9.1.jar, which is the JAR that contains the JNDI lookup code. Instead, TheHive and Cortex utilize the simple logging facade via log4j-to-slf4j-2.9.1.jar and that library does NOT contain the vulnerable JNDI lookup code.

UPDATE 2021/12/13 We've released an additional hotfix that more fully addresses all known log4j attack vectors:
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.