We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210
Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211213
If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.
Summary
A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
We released an initial hotfix on Friday:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210
Elastic later released additional details:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Today's hotfix addresses all known attack vectors for the log4j vulnerability by fully removing the JndiLookup class.
UPDATE 2021/12/14 An additional CVE was announced:
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
This new CVE recommends removing the JndiLookup class and that was done in this 20211213 hotfix.
UPDATE 2021/12/16 If you scan with a vulnerability scanner that just looks at version numbers, then it may detect vulnerabilities as we kept the existing version numbers but removed the vulnerable JndiLookup class. Also, some scanners may flag elasticsearch-sql-cli-7.15.2.jar but there is no attack vector here according to Elastic:
This tool is standalone (NOT part of the server), for running ad-hoc SQL interactions. The tool does NOT accept external user input. The mere presence of the JndiLookup.class is not problematic here, but it looks interesting and could lead to confusion for scanners
UPDATE 2021/12/20 Elastic released 7.16.2 yesterday with updated Log4j 2.17.0, primarily to avoid false positives in vulnerability scanners. We are currently looking into this version. Updating to new Elastic containers will require a full release (not just a hotfix), so it will take some time.
Internet-Connected Deployments
If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html
Airgap Deployments
If you have an airgap deployment, download the new ISO image from the usual location:
https://securityonion.net/download
Then follow the steps here:
https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates
Security Onion 16.04
If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html
Questions or Problems
If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html
You can then find the community support forum at:
https://securityonion.net/discuss
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.