Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)

On OpenShift 4 and OpenShift 3.11 in OpenShift Logging the above mitigation can be applied to the affected Elasticsearch component.

Parst of the Openshift series

OpenShift 3.11

Resolution:

oc project openshift-logging

oc get dc -l component=es
NAME                              REVISION   DESIRED   CURRENT   TRIGGERED BY
logging-es-data-master-9fgtlhi4   1          1         1

oc set env -c elasticsearch dc/logging-es-data-master-9fgtlhi4 ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

# test the configuration
oc set env -c elasticsearch dc -l component=es --list | grep ES_JAVA_OPTS

oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=0
oc rollout latest dc/logging-es-data-master-9fgtlhi4
oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=1

Afther the pod is recreated test the variable in the pods:

for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"\n"}{end}'); \
   do echo "Confirm changes on $es_pod" ;  sleep 1 ; \
   oc rsh -Tc elasticsearch $es_pod ps auxwww | grep log4j2.formatMsgNoLookups ; sleep 3; \
   done


for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"\n"}{end}'); \
   do echo "Confirm changes on $es_pod" ;  sleep 1 ; \
   oc rsh -Tc elasticsearch $es_pod printenv | grep ES_JAVA_OPTS ; sleep 3; \
   done

OpenShift 4

Resolution:

oc project openshift-logging

oc get deployment -l component=elasticsearch
NAME                                      REVISION   DESIRED   CURRENT   TRIGGERED BY
elasticsearch-cdm-ba9c6evk-1-796f6cfdbc   1          1         1

oc patch deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --type=merge -p '{"spec":{"paused": false}}'
oc set env deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc -c elasticsearch ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

oc set env -c elasticsearch deployment -l component=elasticsearch --list | grep ES_JAVA_OPTS

oc scale deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --replicas=0

Afther the pod is recreated test the variable in the pods:

oc get pods -l component=elasticsearch

oc  set env -c elasticsearch pods -l component=elasticsearch --list | grep ES_JAVA_OPTS

oc exec -c elasticsearch elasticsearch-cdm-ba9c6evk-1-796f6cfdbc-4dqc6 -- grep -a log4j2.formatMsgNoLookups /proc/1/cmdline