Vulnerabilities - Latest Squirro Release

Hi there,
I installed the latest squirro version and I wanted to know about the potential vulnerability / threat exposed by the following files.

Path: /usr/share/zookeeper/log4j-1.2.16.jar
Installed version : 1.2.16
Fixed version that can fix this issue : 2.16.0

Path for openJDK : /usr/share/elasticsearch/jdk/
Installed version : 17.0.1
Fixed version that can fix this issue : Upgrade to a version greater than 17.0.1

Kindly let me know the steps to redeem this issue and also so that Squirro keeps working properly. We are going to higher environments soon and I would like this thing resolved as soon as possible.

Welcome Haaris!

Hi @haarisjalal

You write that you “installed the latest Squirro version”. Was this an installation on a new server? or was it actually an upgrade from a previous Squirro version?

Upgrade from a previous version

hi @haarisjalal

see the assessment here from Apache about zookeeper and log4j 1.x: https://issues.apache.org/jira/browse/ZOOKEEPER-3677

Regarding the jdk used by elasticsearch, with Squirro 3.4-TLS we upgraded to Elasticsearch to 7.16.3 which fixes the log4j issue (https://www.elastic.co/guide/en/elasticsearch/reference/7.17/release-notes-7.16.3.html

However, it looks like there’s still a vulnerability in the openjdk version that is bundled with elasticsearch and used by default (17.0.1).
Suggestion is to use the Squirro provided openjdk 1.8 instead, adjusting the ES_JAVA_HOME value in /etc/sysconfig/elasticsearch