An update on the Apache Log4j CVE-2021-44228 security vulnerability

Log4Shell RCE 0-day exploit

Update

CrateDB 4.6.7 with updated log4j 2.17.1 is released. We recommend to upgrade your CrateDB clusters.

CrateDB 4.6.6 is released and includes updated log4j 2.15.0 to fix CVE-2021-44228. We recommend to upgrade your CrateDB clusters.

Introduction

On Thursday (December 9th), a 0-day exploit in the commonly used Java logging library Apache Log4j 2 was discovered, see Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec.

This could lead to Remote Code Execution (RCE) by logging a certain string. CrateDB is also affected by this vulnerability.

How does it work?

The Swiss Government published an excellent article with much valuable information about how an exploit might work and how to mitigate it at Zero-Day Exploit Targeting Popular Java Library Log4j.

image800×541 80.6 KB

Mitigation

Until this new version is fully released, the agreed-on mitigation involves disabling the Log4j configuration setting log4j2.formatMsgNoLookups (see also How to Mitigate the Issue), by providing the following option on CrateDB startup.

Either add this to your Java options:

-Dlog4j2.formatMsgNoLookups=true

or this to your environment variables:

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

The mitigation will work starting with CrateDB 3.2.0 ^[1]. All other users are strongly encouraged to upgrade their instances.

CrateDB Cloud

All CrateDB Cloud instances have been patched. If you have any question, please contact CrateDB Support.

CrateDB (On-premises / Enterprise / Community)

CrateDB tarball
Start CrateDB with the following settings

crate -Dlog4j2.formatMsgNoLookups=true

CrateDB RPM / DEB packages

For users using RPM/DEB packages, those settings should be included in the CRATE_JAVA_OPTS environment variable within the file /etc/default/crate:

-Dlog4j2.formatMsgNoLookups=true

CrateDB container images

When running Docker, use the LOG4J_FORMAT_MSG_NO_LOOKUPS=true environment variable when starting the container, such as:

docker run --env=LOG4J_FORMAT_MSG_NO_LOOKUPS=true --publish=4200:4200 --publish=5432:5432 crate -Cdiscovery.type=single-node

When using Docker Compose, a corresponding configuration snippet would look like:

version: "3"
services:
  cratedb:
    image: crate:4.6.5
    environment:
      LOG4J_FORMAT_MSG_NO_LOOKUPS: true
    ports:
      - "4200:4200"
      - "5432:5432"

When using Kubernetes, the relevant part of the StatefulSet Manifest where to add LOG4J_FORMAT_MSG_NO_LOOKUPS=true, as per Run CrateDB on Kubernetes — CrateDB: How-Tos, is:

kind: StatefulSet
apiVersion: "apps/v1"
metadata:
  name: crate
spec:
  serviceName: "crate-set"
  template:
    spec:
      containers:
      - name: crate
        image: crate:4.6.5
        env:
        - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
          value: "true"

Further notes

We will keep you updated!

Updates

• CrateDB 4.6.6 tarballs are available: Index of /downloads/releases/cratedb/
• All CrateDB Cloud instances have been patched.
• Add details about Log4j version 2.10.0.
• CrateDB testing release 4.6.6 is available as RPM and DEB packages as well as container images at crate/crate:4.6.6.
• officia CrateDB docker image is published

1. CrateDB 3.2.0 ships with Log4j version 2.10.0, which includes the configuration setting log4j2.formatMsgNoLookups. ↩︎

CVE-2021-45046 have been reported on the log4j 2.15.0. Will there be a newer version of crate db after 4.6.6 to fix this?

Hi @vinayak.shukre,

per default CrateDB is not affected by CVE-2021-45046 unless you proactively change your log4j configuration to use one of the problematic patterns.

That being said update to log4j 2.16.0, which fixes CVE-2021-45046, is already merged and back ported to 4.6 branch. There won’t be an immediate hotfix release for this but rather be part of the next regular hotfix release.

See CVE-2021-45046 - log4j · Issue #11984 · crate/crate · GitHub

Hi everyone,

CrateDB 4.6.6, which mitigates CVE-2021-44228 by bumping to log4j2 2.15, has been published to the “stable” release channels, the corresponding official container image crate:4.6.6 is also available.

With kind regards,
Andreas.

Thanks. This helps me.

Hi again,

We just wanted to inform you that the same holds true for CVE-2021-45105 published last Saturday, because the log4j configuration shipped with CrateDB doesn’t include any of the problematic layout patterns.

As a precaution in case users changed the default configuration, a corresponding patch to upgrade to log4j version 2.17.0 has been integrated, see Update log4j to 2.17.0 by mfussenegger · Pull Request #11995 · crate/crate · GitHub.

With kind regards,
Andreas.

Thanks. What is the planned release date of 4.6.x or 4.7.x release with log4j 2.17.0?

Currently we don’t have a planned release date. I expect that 4.6.7 will be released in mid/end January

Meanwhile there is newer vulnerability on log4j-2.17.0 which is fixed in 2.17.1. So if you are anyway releasing crate 4.6.7 late Janurary, can it come with log4j 2.17.1?

Dear Vinayak,

thank you for asking. The upcoming release will ship with log4j-2.17.1, right. See Update log4j to 2.17.1 by mfussenegger · Pull Request #12006 · crate/crate · GitHub.

With kind regards,
Andreas.

@vinayak.shukre FYI: CrateDB 4.6.7 with log4j-2.17.1 was released today

Thanks @jayeff for informing proactively.