Yesterday, Harrison Neal reported a theoretically remotely exploitable security flaw in the Graylog omnibus package which is being used in the official Graylog OVA (virtual appliance) and AMI (Amazon Machine Image).
The original issue describing the problem can be found at Graylog2/omnibus-graylog2#46.
NOTE: The Graylog tar-balls (manual installation), DEB and RPM packages, and the official Graylog Docker images are not affected.
We immediately fixed the issue in the Graylog 2.2.x and 2.3.x branches of the Graylog omnibus package and released updated versions of the official Graylog OVA (virtual appliance) and AMI.
The updated versions of the OVA (virtual appliance) and AMI are:
Graylog 2.3.3-3
Graylog 2.3.1-3 (recommended)
We’d like to thank Harrison for reporting this issue and want to encourage everyone in the community to responsibly report security problems with Graylog.
Please report bugs and any other issues in our GitHub graylog-server repo.
If you have questions about Graylog or anything mentioned in this blog post, please discuss them in the Graylog community forums or in our real-time chat.
Thank you!
DETAILS
The problem with previous versions of the OVA (virtual appliance) and AMI is that Elasticsearch was being started with the Java Management Extensions (JMX) enabled and listening to the public network interface on port 3333/tcp without any authorization and without any transport encryption (TLS).
While this might not be a problem in isolated networks running Graylog, it may be exploited if the port is exposed to the public Internet or to any other third parties.
We’ve disabled JMX for Elasticsearch in all affected images, see Graylog2/omnibus-graylog2#47 and Graylog2/omnibus-graylog2#48 for details.
If you want to check whether JMX is activated on your Graylog installation based on the OVA (virtual appliance) or AMI, run the following command:
ubuntu@graylog:~$ sudo lsof -i :3333
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 1479 graylog 48u IPv4 11448 0t0 TCP *:3333 (LISTEN)
If the command output is empty, everything is fine. If the command output is similar to the output above, you need to take action.
Either upgrade to the latest version of the Graylog omnibus package as described in the documentation or replace the virtual machine with the latest version of the Graylog OVA (virtual appliance) or AMI.
- Documentation: Upgrading the omnibus package
DISABLING JMX MANUALLY
If you’re unable to upgrade to the latest version of the Graylog omnibus package, you can disable JMX for Elasticsearch manually.
Open the file /opt/graylog/sv/elasticsearch/run in your favorite editor (for example in Nano with sudo nano -w /opt/graylog/sv/elasticsearch/run) and remove the following 4 lines:
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.port=3333
After that, save the file (for example in Nano by pressing Ctrl+O), exit the editor (for example in Nano by pressing Ctrl+X), and restart Elasticsearch with the following command:
ubuntu@graylog:~$ sudo graylog-ctl restart elasticsearch
ok: run: elasticsearch: (pid 2156) 0s
If you have more than one Elasticsearch node, you have to make these changes on all systems.
