Kubesphere’s latest fix for Apache log4j 2 Remote Code Execution Vulnerability

Time:2021-12-28

Apache log4j 2 is an open source logging tool, which is widely used in various frameworks. Recently, Apache log4j 2 was revealed to have a vulnerability. The vulnerability has been disclosed. This article provides kubesphere users with recommended fixes.

This vulnerability is caused by the lookup function provided by log4j 2, which allows developers to read the configuration in the corresponding environment through some protocols. However, in the process of implementation, the input is not strictly judged, resulting in loopholes. Since a large number of software uses log4j 2 plug-ins, a large number of Java products have been affected, including but not limited to Apache Solr, srping-boot-strater-log4j2, Apache struts 2, elasticsearch, Dubbo, redis, logstash, Kafka For more components, please refer toLog4j 2 related documents

The affected log4j version is Apache log4j 2 x < 2.15. 0-rc2。 At present, Apache 2.15.0 has been officially released Version 0-rc2 fixes the vulnerability, but this version is not an official release, so there are unstable factors. If you want to upgrade, it is recommended to back up the relevant data.

At the same time, it also provides three methods to remedy the vulnerability

  • Set the system environment variableFORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPSSet totrue
  • Modify configurationlog4j2.formatMsgNoLookups=True
  • Modify JVM parameters-Dlog4j2.formatMsgNoLookups=true

You can choose one of the following three solutions for reference.

Method 1: modify system environment variables

Since kubesphere uses elasticsearch to collect logs by default, the corresponding configuration should also be modified in kubesphere to fix the vulnerability. The following describes how to perform corresponding operations in kubesphere to repair elasticsearch.

Set the system environment variableFORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPSSet to true. Therefore, we need to modify the yaml file of elasticsearch. Because it is a statefulset file, we need to modify it as follows:

kubectl edit  statefulset  elasticsearch-logging-data -n kubesphere-logging-system
kubectl edit  statefulset  elasticsearch-logging-discovery  -n kubesphere-logging-system

Insert environment variable settings in these two yaml files:

env:
- name: FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS
  value: "true"

Method 2: modify log4j 2 configuration

Alternatively, you can modify the configurationlog4j2.formatMsgNoLookups=True, you can execute the following commands:

kubectl edit configmaps elasticsearch-logging  -n kubesphere-logging-system

Then insert the configuration mentioned above:

log4j2.properties: |-
    status=error
    appender.console.type=Console
    appender.console.name=console
    appender.console.layout.type=PatternLayout
    appender.console.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
    rootLogger.level=info
    rootLogger.appenderRef.console.ref=console
    logger.searchguard.name=com.floragunn
    logger.searchguard.level=info
    #Insert this row
    log4j2.formatMsgNoLookups=true

be careful:

  1. After modification, please pay attention to whether the relevant configuration is mounted. If not, please restart the pod.
  2. If you reinstall the kubesphere logging component, KS installer may cause the configuration of the configmap to be reset. You need to refer to the method to manually configure it again, or take method 1 to set the system environment variableFORMAT_ MESSAGES_ PATTERN_ DISABLE_ Lookups is true

Method 3: modify the JVM parameters of elasticsearch

In addition to the above two methods, you can also choose to add a configuration file in elasticsearch in kubesphere cluster and configure JVM parameters separately. SeeElasticsearch announcement statement

Relevant reference

This article is composed of blog one article multi posting platformOpenWriterelease!