Log4Shell - outflanknl/RedELK Wiki

Info on Log4Shell vulnerability

RedELK prior to v2 beta 5 is vulnerable to Log4Shell. This is because:

Other components are either not vulnerable or implemented in such a way that they are not exploitable. Well, at least that is what we think after a quick review. The result of the review was either way that we should upgrade, so that is what we did. You can track our discussion on this topic here.

1 - preferred - New installation

The preferred way is to nuke your RedELK install and install at least version v2.0.0.0beta5.

2 - less preferred - upgrade your existing install

Warning, upgrading RedELK was never supported and never thought of. RedELK installs should not existing beyond a single operation, most likely at max a few months.

However, due to log4shell, we tried to see if upgrading is possible without breaking too much.

On your elkserver:

On all your c2 servers and redirectors:

You can check that new events are coming in on your RedELK server by looking for agent.version fields containing 7.16.3