Apache Log4j 2 is an open source logging tool used in a wide variety of frameworks. Apache Log4j 2 has been exposed as a vulnerability. The vulnerability is now public. This article provides recommended fixes for KubeSphere users.
The vulnerability was caused by the lookup feature provided by Log4j 2, which allows developers to read the configuration in their environment using a number of protocols. However, in the process of implementation, the input is not strictly judged, resulting in the occurrence of vulnerabilities. Because a large number of software uses the Log4j 2 plug-in, a large number of Java class products are affected, Including but not limited to Apache Solr, srping-boot-Strater -log4j2, Apache Struts2, ElasticSearch, Dubbo, Redis, Logstash, Kafka… Refer to the Log4j 2 documentation for more components.
The affected Log4j version is Apache Log4j 2.x < 2.15.0-rc2. At present, Apache 2.15.0-RC2 version has been officially released to fix this vulnerability, but this version is not officially released, so there are unstable factors. If you want to upgrade, it is recommended to back up relevant data.
At the same time, it also provides three methods to remedy the vulnerability, for
- System environment variables
FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPSSet totrue - Modify the configuration
log4j2.formatMsgNoLookups=True - Modifying JVM parameters
-Dlog4j2.formatMsgNoLookups=true
You can refer to any of the following solutions.
Method 1: Modify system environment variables
Because KubeSphere uses ElasticSearch to collect logs by default, you should change the configuration in KubeSphere to fix the vulnerability. Here’s how to fix ElasticSearch in KubeSphere.
Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to True. To do this, we need to modify the Yaml file for ElasticSearch since it is a StatefulSet file, Therefore, the following modifications need to be made:
kubectl edit statefulset elasticsearch-logging-data -n kubesphere-logging-system
kubectl edit statefulset elasticsearch-logging-discovery -n kubesphere-logging-system
Copy the codeInsert environment variable Settings in these two Yaml files:
env:
- name: FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS
value: "true"
Copy the codeMethod 2: Modify the Log4j 2 configuration
. In addition, you can also modify the configuration log4j2 formatMsgNoLookups = True, you can perform the following commands:
kubectl edit configmaps elasticsearch-logging -n kubesphere-logging-system
Copy the codeThen insert the configuration mentioned above:
log4j2.properties: |- status=error appender.console.type=Console appender.console.name=console appender.console.layout.type=PatternLayout appender.console.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n rootLogger.level=info RootLogger. AppenderRef. Console. Ref = console logger. Searchguard. Name = com. Floragunn logger. Searchguard. Level = info # insert on the trip log4j2.formatMsgNoLookups=trueCopy the codeNote:
- After the modification, check whether related configurations are mounted. If not, restart the Pod.
- If you re-install the KubeSphere Logging component, kS-Installer may cause the ConfigMap configuration to be reset. You may need to re-configure the configuration by referring to method 1 or setting system environment variables
FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true.
Modify JVM parameters for ElasticSearch
In addition to the above two methods, you can also choose to add a configuration file for ElasticSearch in the KubeSphere cluster to configure JVM parameters separately, as described in the ElasticSearch bulletin statement.
Relevant reference
- About the Apache Log4j 2 remote code execution vulnerability risk tip: latest itsc.nju.edu.cn/7a/42/c4194…
- Artifacts using Apache Log4j Core:mvnrepository.com/artifact/or…
This article is published by OpenWrite!