Revision History:
|
Revision |
Publication Date |
Comments |
|
1.0 |
12/13/2021 |
Initial publication |
|
1.1 |
12/13/2021 |
Add info on Hive Metastore |
|
1.2 |
12/14/2021 |
Add info on KUDO Spark |
|
1.3 |
12/15/2021 |
Updated info on SDK Scheduler and mitigation |
|
1.4 |
01/05/2022 |
Added information about CVE-2021-44832 and CVE-2021-45105 and the SDK Scheduler |
|
1.5 |
01/11/2022 |
Added additional clarification about Elastic in DKP products. |
Products Affected:
|
Product |
Release |
Comments |
|
DC/OS |
1.13, 2.0, 2.1, 2.1 |
|
|
DKP (Konvoy/Kommander) |
1.6.x, 1.7.x, 1.8.x, 2.x |
Risk & Severity:
|
Risk Severity |
Defect Severity |
|
Critical |
Critical |
Problem Description
A vulnerability has been identified in the Java logging component Log4J v2.x. See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://nvd.nist.gov/vuln/detail/CVE-2021-45046 for more details.
Java components are used in some D2iQ products. This advisory documents the impacts and any mitigations needed or recommended.
Note that only Log4J v2.x is impacted by the vulnerability. Many popular packages in the DC/OS and Kubernetes ecosystem use Log4J v1.x, which is NOT impacted by this vulnerability.
Context & Symptoms
For all supported D2iQ offerings, we have analyzed the impact of these CVEs and have prepared the following tables of impacted products:
DC/OS:
|
Product |
Impacted? |
Notes |
|
DC/OS 1.13, 2.0, 2.1, 2.1 |
No |
|
|
DC/OS Universe packages |
Partial |
DKP (D2iQ Kubernetes Platform)
|
Product |
Impacted? |
Notes |
|
DKP 1.6/1.7/1.8 |
No |
|
|
DKP 2.x |
No |
No impact, no Java components |
|
Kaptain 1.x |
No |
DC/OS Zookeeper:
DC/OS uses Apache Zookeeper and the Open Source Exhibitor package to manage Zookeeper, which are both Java based and use log4j v1.x. As mentioned above, Log4J v1.x is NOT impacted by the CVE. In addition, the log4j configuration files on DC/OS systems are not world writable, so an unprivileged user cannot change the log4j configuration.
There are several other Java based components (Cosmos, Marathon, Metronome, Package Registry) in DC/OS, but none of them use the Log4J logging framework and are thus not impacted.
DC/OS Universe Packages based on the DC/OS SDK Scheduler
A number of the packages in the DC/OS universe use a Mesos scheduler developed by Mesosphere/D2iQ referred to as the “DCOS SDK”. The SDK scheduler is written in Java and uses an impacted version of Log4J v2.x. The Scheduler configuration is logged; if an attacker gained access to the cluster they might be able to configure the scheduler to trigger the exploit.
The list of DC/OS Universe packages which use the SDK scheduler is as follows:
|
alluxio-enterprise |
cassandra |
cockroachdb |
confluent-kafka |
|
confluent-zookeeper |
consul |
couchbase |
data-science-engine |
|
datastax-dse |
datastax-ops |
dcos-monitoring |
edgelb-pool |
|
elastic |
etcd |
ethereum |
grafana |
|
hdfs |
hive-metastore |
hivemq |
kafka |
|
kafka-zookeeper |
Kubernetes (MKE) |
Kubernetes-cluster (MKE) |
miniod |
|
nifi |
percona-mongo |
percona-pxc-mysql |
percona-server-mongodb |
|
portworx |
portworx-cassandra |
portworx-confluent-kafka |
portworx-couchdb |
|
portworx-datastax-dse |
portworx-datastax-ops |
portworx-elastic |
portworx-hadoop |
|
portworx-hdfs |
portworx-kafka |
portworx-miniod |
portworx-nifi |
|
portworx-percona-mongo |
portworx-prometheus |
portworx-zookeeper |
prometheus |
|
rabbitmq |
redis-cluster |
spinnaker |
A previous version of this advisory recommended adding the
-Dlog4j2.formatMsgNoLookups=true
flag to the JVM_OPTS parameter of the scheduler to disable the vulnerable capability. Subsequent research has determined that the versions of log4j shipped with the SDK scheduler (v2.8.1) do not support this flag, so this mitigation does not work. If you have already performed this mitigation, it does not hurt anything, but it does not mitigate the vulnerability.
Instead, to mitigate this problem you will need an updated version of any packages you are using. Please contact support@d2iq.com and indicate exactly which SDK package (including the version) and we will assist you with obtaining an updated package that includes a patched log4j.
See below for notes on CVE-2021-44832 and CVE-2021-45105
DC/OS Universe Packages with impacted Base Technology
Some of the Packages in the DC/OS Universe deploy Java based packages that may use the impacted Log4j version. We are still evaluating the packages in the Universe to see if any are impacted and will update this advisory as we have more information on this topic.
We are aware of a vulnerability in the base technology of the Hive Metastore package. If you use this package, please contact support@d2iq.com for mitigation instructions
Elasticsearch in DKP 1.x
Konvoy 1.6 and 1.7 ship with Elasticsearch 6.8.x; Konvoy 1.8.x ships with ElasticSearch 7.10. Elasticsearch is a Java based package and uses an impacted version of Log4J v2.x, but it is NOT impacted by the vulnerabilites.
From the Elastic Security Bulletin: "Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK are NOT SUSCEPTIBLE [emphasis D2iQ] to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager.” There are further statements from Elastic that note that they only reason they have issued 6.8.22 and 7.16.2 was "to address false positives".
See this note on the Elastic website for more information.
To further harden DKP 1.x clusters, we recommend that you add the following mitigation to your cluster.yaml and then run konvoy deploy addons -y
- name: elasticsearch
enabled: true
values: |
master:
additionalJavaOpts: "-Dlog4j2.formatMsgNoLookups=true"
data:
additionalJavaOpts: "-Dlog4j2.formatMsgNoLookups=true"
client:
additionalJavaOpts: "-Dlog4j2.formatMsgNoLookups=true"
cluster:
additionalJavaOpts: "-Dlog4j2.formatMsgNoLookups=true"
KUDO Spark
The KUDO Spark package included in the D2iQ Kaptain product uses Log4J v1.x, which is not impacted by the vulnerability.
Impact Analysis of Log4J vulnerabilities on the DC/OS SDK Scheduler
To date, four different CVE's have been reported against various Log4jV2 versions:
|
CVE |
Log4J Versions impacted |
CVE Severity |
|
All versions from 2.0-beta9 to 2.14.1 |
Critical | |
|
All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 |
Critical | |
|
All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3 |
Moderate | |
|
All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 |
Moderate |
As mentioned above, DC/OS SDK Scheduler components built before December, 2021 included impacted versions of Log4j (V2.8.1). In December, D2iQ issued updated packages to supported customers that contain Log4j V2.16.0, which remediates the vulnerabilities described in CVE-2021-44228 and CVE-2021-45046.
Subsequently, additional CVE's (CVE-2021-45105 and CVE-2021-44832) were disclosed that impact Log4j 2.16.0. D2iQ has analyzed the usage of Log4J in the DC/OS SDK Scheduler and has determined that it is not impacted by the these CVE's. Our analysis follows:
CVE-2021-45105: Triggering the vulnerability requires the use of particular logging PatternLayouts, which are not used by the SDK code. Even if the necessary patterns are somehow injected, the only impact of the vulnerability is that the scheduler process would fail. The Marathon app that launches the scheduler would then restart it. At no time would running processes launched by the SDK scheduler be impacted.
CVE-2021-44832: Triggering this vulnerability requires access to the Log4J configuration file, which is only available in the SDK scheduler container and is protected from modification.
For More Information
We are continuing to investigate this topic and will update this advisory as necessary as we learn more. If you require further assistance, or if you have any further questions regarding this field notice, please submit a ticket at support.d2iq.com.
Referenced links in this advisory:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
http://slf4j.org/log4shell.html
https://github.com/mesosphere/dcos-commons