Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-44228 Log4Shell: log4j Remote code execution #357

Closed
Schnitzel opened this issue Dec 10, 2021 · 6 comments · Fixed by #358
Closed

CVE-2021-44228 Log4Shell: log4j Remote code execution #357

Schnitzel opened this issue Dec 10, 2021 · 6 comments · Fixed by #358
Labels
Security

Comments

@Schnitzel
Copy link
Contributor

Solr uses log4j: https://solr.apache.org/guide/6_6/configuring-logging.html

So we should check if our solr base images are affected by CVE-2021-44228 and if yes release update images asap.
Plus also check if any other base images include log4j
@bnagykekesi
Copy link

The CVE mentions that java 8 protects against remote code execution. Solr 7.7 seems to be using java 11, so maybe that one is fine ? https://github.com/docker-solr/docker-solr/blob/86159575c4b6da2010ae9ee003bf5a6de31157cb/7.7/Dockerfile

@koenadolfs
Copy link

@bnagykekesi Java version is only relevant for specific attack vector

@cdchris12 cdchris12 mentioned this issue Dec 10, 2021
Merged
@cdchris12
Copy link
Contributor

cdchris12 commented Dec 10, 2021
edited by Schnitzel
Loading

After some searching with @Schnitzel , we found the following versions of log4j running on our Solr containers:

  • testlagoon/solr-8: 2.14.1
  • uselagoon/solr-7.7: 2.11.0
  • uselagoon/solr-7: 2.11.0
  • amazeeio/solr:6 (depreciated): 1.7.7

This patch in #358 protects solr versions 7, 7.7, and 8 from CVE-2021-44228.

Solr 6 has already been depreciated, but this CVE serves as further fuel to the fire for end users to migrate to more recent versions of Solr.

Elasticsearch is running:

  • uselagoon/elasticsearch-6: 2.11.1
  • uselagoon/elasticsearch-7: 2.11.1

This patch in #358 protects elasticsearch versions 6 and 7 from CVE-2021-44228.

@Schnitzel
Copy link
Contributor Author

Schnitzel commented Dec 10, 2021
edited
Loading

In order to protect our infrastructure faster the amazee.io security team decided to roll out the same mitigation as in the #358 patch as env variables to all running pods, we achieved this:

solr:

kubectl get deployments --all-namespaces --no-headers -l lagoon.sh/service-type=solr-php-persistent | awk '{system ("kubectl set env deployment/" $2 " -n " $1 " SOLR_OPTS=-Dlog4j2.formatMsgNoLookups=true")}'

elasticsearch

kubectl get deployments --all-namespaces --no-headers -l lagoon.sh/service-type=elasticsearch-persistent | awk '{system ("kubectl set env deployment/" $2 " -n " $1 " ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true")}'

Like the patch this will only work for Solr 7 and Solr 8. We don't have any mitigations for Solr 6 currently.

@Schnitzel Schnitzel changed the title Check Lagoon Base Images for CVE-2021-44228: log4j Remote code execution CVE-2021-44228 Log4Shell: log4j Remote code execution Dec 10, 2021
@Schnitzel
Copy link
Contributor Author

just for completeness, in case somebody uses opendistro installed from the documentation on how to install lagoon on an elasticsearch cluster (https://docs.lagoon.sh/lagoon/using-lagoon-advanced/installing-lagoon-into-existing-kubernetes-cluster), this diff:

https://gist.github.com/Schnitzel/1e386654b6abf75bf4d66a544db4aa6a/revisions#diff-6eb5aa2af122281945d8d42cc285a04af319c927fec0b2e03ce47987c39985a2

shows how to add the mitigation to the opendistro pods.

@tobybellwood
Copy link
Member

A Lagoon-images release will come out in the next couple of hours to add these variables

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
5 participants
@Schnitzel @bnagykekesi @tobybellwood @cdchris12 @koenadolfs