Monday, December 13, 2021

Security Onion 2.3.90 20211213 Hotfix Now Available to Fully Mitigate All Known log4j Attack Vectors!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211213

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

Summary

A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

We released an initial hotfix on Friday:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

Elastic later released additional details:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Today's hotfix addresses all known attack vectors for the log4j vulnerability by fully removing the JndiLookup class.

UPDATE 2021/12/14 An additional CVE was announced:
https://nvd.nist.gov/vuln/detail/CVE-2021-45046

This new CVE recommends removing the JndiLookup class and that was done in this 20211213 hotfix.

UPDATE 2021/12/16 If you scan with a vulnerability scanner that just looks at version numbers, then it may detect vulnerabilities as we kept the existing version numbers but removed the vulnerable JndiLookup class. Also, some scanners may flag elasticsearch-sql-cli-7.15.2.jar but there is no attack vector here according to Elastic:

This tool is standalone (NOT part of the server), for running ad-hoc SQL interactions. The tool does NOT accept external user input. The mere presence of the JndiLookup.class is not problematic here, but it looks interesting and could lead to confusion for scanners

UPDATE 2021/12/20 Elastic released 7.16.2 yesterday with updated Log4j 2.17.0, primarily to avoid false positives in vulnerability scanners. We are currently looking into this version. Updating to new Elastic containers will require a full release (not just a hotfix), so it will take some time.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:
https://securityonion.net/download

Then follow the steps here:
https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:
https://securityonion.net/discuss

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.