Examples: query, "exact match", wildcard*, wild?ard, wild*rd
Fuzzy search: cake~ (finds cakes, bake)
Term boost: "red velvet"^4, chocolate^2
Field grouping: tags:(+work -"fun-stuff")
Escaping: Escape characters +-&|!(){}[]^"~*?:\ with \, e.g. \+
Range search: properties.timestamp:[1587729413488 TO *] (inclusive), properties.title:{A TO Z}(excluding A and Z)
Combinations: chocolate AND vanilla, chocolate OR vanilla, (chocolate OR vanilla) NOT "vanilla pudding"
Field search: properties.title:"The Title" AND text
Hello, Since Clearml-Server Uses Elasticsearch, Is There Any Security Issue Related To This

Hello, since clearml-server uses elasticsearch, is there any security issue related to this https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 ?

Posted one year ago
Votes Newest

Answers 3

Hi SubstantialElk6 , reading ElasticSearch's summary, it seems to me like they state that:
[Original post] CVE-2021-44228... Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage AND [Update December 15] CVE-2021-45046 ... Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerabilityAnd also that:
[Update December 17] The 7.16.1 and 6.8.21 releases of Elasticsearch and Logstash fully mitigate CVE-2021-44228 and CVE-2021-45046...

Posted one year ago

As stated there:
We've confirmed that the Security Manager mitigates the remote code execution attack in Elasticsearch 6 and 7;Which basically means ClearML-Server is not affected. We will include the -Dlog4j2.formatMsgNoLookups=true JVM flag (just to be on the safe side) in the coming release (and users can also do it right now in their own docker-compose, of course)

Posted one year ago

Hi we did a check. Only 7.16.1 and 6.8.21 and above mitigates the attack. What's the current version that ClearML is using?

Posted one year ago
3 Answers
one year ago
4 months ago