Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Page content
On OpenShift 4 and OpenShift 3.11 in OpenShift Logging the above mitigation can be applied to the affected Elasticsearch component.
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
OpenShift 3.11
Resolution:
oc project openshift-logging
oc get dc -l component=es
NAME REVISION DESIRED CURRENT TRIGGERED BY
logging-es-data-master-9fgtlhi4 1 1 1
oc set env -c elasticsearch dc/logging-es-data-master-9fgtlhi4 ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
# test the configuration
oc set env -c elasticsearch dc -l component=es --list | grep ES_JAVA_OPTS
oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=0
oc rollout latest dc/logging-es-data-master-9fgtlhi4
oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=1
Afther the pod is recreated test the variable in the pods:
for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"\n"}{end}'); \
do echo "Confirm changes on $es_pod" ; sleep 1 ; \
oc rsh -Tc elasticsearch $es_pod ps auxwww | grep log4j2.formatMsgNoLookups ; sleep 3; \
done
for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"\n"}{end}'); \
do echo "Confirm changes on $es_pod" ; sleep 1 ; \
oc rsh -Tc elasticsearch $es_pod printenv | grep ES_JAVA_OPTS ; sleep 3; \
done
OpenShift 4
Resolution:
oc project openshift-logging
oc get deployment -l component=elasticsearch
NAME REVISION DESIRED CURRENT TRIGGERED BY
elasticsearch-cdm-ba9c6evk-1-796f6cfdbc 1 1 1
oc patch deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --type=merge -p '{"spec":{"paused": false}}'
oc set env deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc -c elasticsearch ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
oc set env -c elasticsearch deployment -l component=elasticsearch --list | grep ES_JAVA_OPTS
oc scale deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --replicas=0
Afther the pod is recreated test the variable in the pods:
oc get pods -l component=elasticsearch
oc set env -c elasticsearch pods -l component=elasticsearch --list | grep ES_JAVA_OPTS
oc exec -c elasticsearch elasticsearch-cdm-ba9c6evk-1-796f6cfdbc-4dqc6 -- grep -a log4j2.formatMsgNoLookups /proc/1/cmdline
