An update on the Apache Log4j CVE-2021-44228 security vulnerability
Log4Shell RCE 0-day exploit
Update
CrateDB 4.6.7 with updated log4j 2.17.1 is released. We recommend to upgrade your CrateDB clusters.
CrateDB 4.6.6 is released and includes updated log4j 2.15.0 to fix CVE-2021-44228. We recommend to upgrade your CrateDB clusters.
Introduction
On Thursday (December 9th), a 0-day exploit in the commonly used Java logging library Apache Log4j 2 was discovered, see Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec.
This could lead to Remote Code Execution (RCE) by logging a certain string. CrateDB is also affected by this vulnerability.
How does it work?
The Swiss Government published an excellent article with much valuable information about how an exploit might work and how to mitigate it at Zero-Day Exploit Targeting Popular Java Library Log4j.
Mitigation
Until this new version is fully released, the agreed-on mitigation involves disabling the Log4j configuration setting log4j2.formatMsgNoLookups
(see also How to Mitigate the Issue), by providing the following option on CrateDB startup.
Either add this to your Java options:
-Dlog4j2.formatMsgNoLookups=true
or this to your environment variables:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
The mitigation will work starting with CrateDB 3.2.0 [1]. All other users are strongly encouraged to upgrade their instances.
CrateDB Cloud
All CrateDB Cloud instances have been patched. If you have any question, please contact CrateDB Support.
CrateDB (On-premises / Enterprise / Community)
CrateDB tarball
Start CrateDB with the following settings
crate -Dlog4j2.formatMsgNoLookups=true
CrateDB RPM / DEB packages
For users using RPM/DEB packages, those settings should be included in the CRATE_JAVA_OPTS
environment variable within the file /etc/default/crate
:
-Dlog4j2.formatMsgNoLookups=true
CrateDB container images
When running Docker, use the LOG4J_FORMAT_MSG_NO_LOOKUPS=true
environment variable when starting the container, such as:
docker run --env=LOG4J_FORMAT_MSG_NO_LOOKUPS=true --publish=4200:4200 --publish=5432:5432 crate -Cdiscovery.type=single-node
When using Docker Compose, a corresponding configuration snippet would look like:
version: "3"
services:
cratedb:
image: crate:4.6.5
environment:
LOG4J_FORMAT_MSG_NO_LOOKUPS: true
ports:
- "4200:4200"
- "5432:5432"
When using Kubernetes, the relevant part of the StatefulSet Manifest where to add LOG4J_FORMAT_MSG_NO_LOOKUPS=true
, as per Run CrateDB on Kubernetes — CrateDB: How-Tos, is:
kind: StatefulSet
apiVersion: "apps/v1"
metadata:
name: crate
spec:
serviceName: "crate-set"
template:
spec:
containers:
- name: crate
image: crate:4.6.5
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
Further notes
We will keep you updated!
Updates
- CrateDB 4.6.6 tarballs are available: Index of /downloads/releases/cratedb/
- All CrateDB Cloud instances have been patched.
- Add details about Log4j version 2.10.0.
- CrateDB testing release 4.6.6 is available as RPM and DEB packages as well as container images at
crate/crate:4.6.6
. - officia CrateDB docker image is published
-
CrateDB 3.2.0 ships with Log4j version 2.10.0, which includes the configuration setting
log4j2.formatMsgNoLookups
. ↩︎