Elasticsearch 7.10.x didn't receive the iteration that addressed recent JNDI related Log4j vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) as 6.8.x did. Since this probably won't happen, we need to make sure that the newly deployed version isn't affected.
Mitigations:
AC:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T248925 Make MediaWiki release tarball compatible with PHP 8.0 | |||
| Resolved | Jdforrester-WMF | T300463 Make PHP 8.0 voting on MW master | |||
| Resolved | None | T283275 Make MW master tests pass on PHP 8.0 | |||
| Resolved | Reedy | T268861 CirrusSearch uses Elastica's Match class | |||
| Resolved | Reedy | T268863 Translate uses Elastica's Match class | |||
| Resolved | matthiasmullie | T268866 WikibaseMediaInfo uses Elastica's Match class | |||
| Invalid | None | T268864 WikibaseCirrusSearch uses Elastica's Match class | |||
| Resolved | Reedy | T268865 WikibaseLexemeCirrusSearch uses Elastica's Match class | |||
| Resolved | EBernhardson | T271777 Bump rufin/elastica (and related libraries) to versions that support PHP 8.0 | |||
| Resolved | Gehel | T263142 [EPIC] Upgrade Elasticsearch to version 7.10 | |||
| Resolved | • Zbyszko | T300833 Address "Log4shell" vulnerability in Elasticsearch 7.10.2 |
Based on https://xeraa.net/blog/2021_mitigate-log4j2-log4shell-elasticsearch/#what-does-that-mean-for-elasticsearch , RCE type vulnerability doesn't apply to Elasticsearch thanks to use of SecurityManager, but since our instances are using JRE8, there are some vulnerabilities still, that can be fixed by using mentioned system property.