[Security] Add log4j vulnerability mitigation in Elasticsearch

Change-Id: I2d4a4fab35771723be82a1c8b98dbe4cc3164f58 (cherry picked from commit ecbd96bebb)
2021-12-15 17:01:11 +01:00 · 2021-12-15 17:01:11 +01:00 · f35e44aaf7
parent 65f95a99ed
commit f35e44aaf7
2 changed files with 6 additions and 1 deletions
--- a/ansible/roles/elasticsearch/defaults/main.yml
+++ b/ansible/roles/elasticsearch/defaults/main.yml
@ -38,7 +38,7 @@ elasticsearch_enable_keystone_registration: False

 elasticsearch_cluster_name: "kolla_logging"
 es_heap_size: "1g"
-es_java_opts: "{% if es_heap_size %}-Xms{{ es_heap_size }} -Xmx{{ es_heap_size }}{%endif%}"
+es_java_opts: "{% if es_heap_size %}-Xms{{ es_heap_size }} -Xmx{{ es_heap_size }}{%endif%} -Dlog4j2.formatMsgNoLookups=true"

 #######################
 # Elasticsearch Curator
--- a/releasenotes/notes/security-log4j-1be047799f8e590a.yaml
+++ b/releasenotes/notes/security-log4j-1be047799f8e590a.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds mitigation for the Apache Log4j2 Remote Code Execution (RCE)
+    Vulnerability in Elasticsearch - CVE-2021-44228.