Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST] Upgrade to Open Distro to latest 1.13.x to solve the log4j issues #2788

Closed
13 tasks done
erzetpe opened this issue Dec 14, 2021 · 3 comments
Closed
13 tasks done

[FEATURE REQUEST] Upgrade to Open Distro to latest 1.13.x to solve the log4j issues #2788

erzetpe opened this issue Dec 14, 2021 · 3 comments
Assignees
@seriva @rafzei @przemyslavic
Labels
area/security priority/critical Show-stopper! You better start it now

Comments

@erzetpe
Copy link
Contributor

erzetpe commented Dec 14, 2021
edited by seriva
Loading

Is your feature request related to a problem? Please describe.
We need to upgrade to latest 1.13.x latest as previous versions are prone to CVE-2021-44228.

Describe the solution you'd like
We want to have upgraded Open Distro to latest 1.13.x to solve the Log4j CVE issues.

Describe alternatives you've considered
None

Additional context
Official Open Distro statement

DoD checklist

  • Changelog updated
  • COMPONENTS.md updated / doesn't need to be updated
  • Schema updated / doesn't need to be updated
  • Feature has automated tests
  • Automated tests passed (QA pipelines)
    • apply
    • upgrade
  • Idempotency tested
  • Documentation added / updated / doesn't need to be updated
  • All conversations in PR resolved
  • Solution meets requirements and is done according to design doc
  • Usage compliant with license
  • Backport tasks created / doesn't need to be backported
@erzetpe erzetpe added area/security status/grooming-needed priority/high Task with high priority priority/critical Show-stopper! You better start it now and removed priority/high Task with high priority labels Dec 14, 2021
@rafzei rafzei self-assigned this Dec 20, 2021
@seriva seriva changed the title [FEATURE REQUEST] Upgrade to Open Distro 1.13.3 [FEATURE REQUEST] Upgrade to Open Distro to latest 1.13.x to solve the log4j issues Dec 20, 2021
@rafzei
Copy link
Contributor

rafzei commented Dec 20, 2021

DEB and RPM packages are not available for now:
opendistro-for-elasticsearch/opendistro-build#800
We could get .tar.gz and unpack it or patch our version with updated log4j.jars

@seriva seriva mentioned this issue Dec 29, 2021
Closed
13 tasks
@seriva
Copy link
Collaborator

seriva commented Dec 29, 2021

Needs to be backported to 1.0.x, issue already created: #2823

@seriva seriva mentioned this issue Dec 30, 2021
Merged
@przemyslavic
Copy link
Collaborator

✔️ new deployments:

[operations@ci-l4jazurcentcanal-logging-vm-1 ~]$ find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.17.1.jar

✔️ upgrades
Before:

[root@ec2-1-1-1-1 elasticsearch]# find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.11.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.13.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.13.0.jar

After upgrading

[root@ec2-1-1-1-1 elasticsearch]# find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.17.1.jar

Tested on x86_64 and aarch64, all OSes, all cloud providers, apply + re-apply, upgrade + re-upgrade.
Verified Elasticsearch and Kibana services. Also checked elasticsearch logs.

@przemyslavic przemyslavic self-assigned this Jan 3, 2022
@seriva seriva self-assigned this Jan 3, 2022
@seriva seriva closed this as completed Jan 3, 2022
seriva added a commit that referenced this issue Jan 21, 2022
@seriva
Backports v1.0 - #2774, #2768, #2788, #2426, #2744, #1221, #2831, #2894
e32875c 
… (#2826)

* Backport #2784 for issue #2774
* Backport #2813 for issue #2768
* Backport #2823 for issue #2788
* Backport #2776 for issue #1221
* Backport #2442 for issue #2426
* Backport #2764 for issue #2744
* Backport issue #2831
* Backport #2912 for issue #2894
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seriva seriva

@rafzei rafzei

@przemyslavic przemyslavic

Labels
area/security priority/critical Show-stopper! You better start it now
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@erzetpe @seriva @rafzei @przemyslavic