Yesterday, Harrison Neal reported a theoretically remotely exploitable security flaw in the Graylog omnibus package which is being used in the official Graylog OVA (virtual appliance) and AMI (Amazon Machine Image).
The original issue describing the problem can be found at Graylog2/omnibus-graylog2#46.
NOTE: The Graylog tar-balls (manual installation), DEB and RPM packages, and the official Graylog Docker images are not affected.
We'd like to thank Harrison for reporting this issue and want to encourage everyone in the community to responsibly report security problems with Graylog.
Please report bugs and any other issues in our GitHub graylog-server repo.
The problem with previous versions of the OVA (virtual appliance) and AMI is that Elasticsearch was being started with the Java Management Extensions (JMX) enabled and listening to the public network interface on port 3333/tcp without any authorization and without any transport encryption (TLS).
While this might not be a problem in isolated networks running Graylog, it may be exploited if the port is exposed to the public Internet or to any other third parties.
If you want to check whether JMX is activated on your Graylog installation based on the OVA (virtual appliance) or AMI, run the following command:
ubuntu@graylog:~$ sudo lsof -i :3333 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 1479 graylog 48u IPv4 11448 0t0 TCP *:3333 (LISTEN)
If the command output is empty, everything is fine. If the command output is similar to the output above, you need to take action.
Either upgrade to the latest version of the Graylog omnibus package as described in the documentation or replace the virtual machine with the latest version of the Graylog OVA (virtual appliance) or AMI.
- Documentation: Upgrading the omnibus package
Disabling JMX manually
If you're unable to upgrade to the latest version of the Graylog omnibus package, you can disable JMX for Elasticsearch manually.
Open the file
/opt/graylog/sv/elasticsearch/run in your favorite editor (for example in Nano with
sudo nano -w /opt/graylog/sv/elasticsearch/run) and remove the following 4 lines:
-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=3333
After that, save the file (for example in Nano by pressing Ctrl+O), exit the editor (for example in Nano by pressing Ctrl+X), and restart Elasticsearch with the following command:
ubuntu@graylog:~$ sudo graylog-ctl restart elasticsearch ok: run: elasticsearch: (pid 2156) 0s
If you have more than one Elasticsearch node, you have to make these changes on all systems.