Topic on Extension talk:CirrusSearch

elastic search using log4j 2.11.1.jar

Pooja2425 (talkcontribs)

Hi Team,

we are using below,

MediaWiki 1.35.3
PHP 7.4.23 (apache2handler)
MySQL 8.0.26
Lua 5.1.5
Elasticsearch 6.5.4





please provide us any patch which is higher then log4j>2.15.0

Ciencia Al Poder (talkcontribs)

"We" don't provide ElasticSearch. ElasticSearch was installed by yourself from an external source and you should ask them

DHillBCA (talkcontribs)
Pooja2425 (talkcontribs)

Thanks alot @DHillBCA for help,

I checked this, it seems i need to add -Dlog4j2.formatMsgNoLookups=true into etc/elasticsearch/jvm.options

because we are using elastic search 6.5.4 version.

pls let me know where i can ask questions for this.

Pooja2425 (talkcontribs)
DHillBCA (talkcontribs)

Removing JndiLookup is not recommended, per the article.

If my read of the article is correct, the step you took is a good patch in the absence of updating log4j to 2.16 (2.15 was found to have related issues, so a new version was released). 2.16 does this by default.

Updating to log4j 2.16 and ensuring you're using an up-to-date version of the Java SDK appears to be the best defense against this problem.

Realsalt (talkcontribs)

6.8.21 should be good. From linked article: "[this version sets]Dlog4j2.formatMsgNoLookups=true in the JVM options and remove the JndiLookup class for you "

From elastic itself: "As of December 13, 2021, we have released Elasticsearch 6.8.21 and 7.16.1 which set the JVM option identified below and remove the vulnerable JndiLookup class from Log4j out of an abundance of caution"

Realsalt (talkcontribs)

I guess that question I have is should this be flagged as a critical version on this main page. Something like {{warning}} template? Current text says "MediaWiki 1.33.x - 1.38.x require Elasticsearch 6.5.x - 6.8.x (6.8.21+ recommended)". Is that sufficient?

Reply to "elastic search using log4j 2.11.1.jar"