Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update log4j #2806

Merged
merged 20 commits into from
Dec 30, 2021
Merged

Update log4j #2806

merged 20 commits into from
Dec 30, 2021

Conversation

rafzei
Copy link
Contributor

@rafzei rafzei commented Dec 20, 2021

It fixes the following vulnerabilities:

log4j-api                2.13.0        2.15.0        GHSA-jfh8-c2jp-5v3q  Critical  
log4j-api                2.13.0        2.16.0        GHSA-7rjr-3q55-vv33  Medium    
log4j-api                2.13.0        2.17.0        GHSA-p6xc-xr62-6r2g  High      
log4j-api                2.13.0                      CVE-2020-9488        Low       
log4j-api                2.13.0                      CVE-2021-44228       Critical  
log4j-api                2.13.0                      CVE-2021-45046       Low       
log4j-api                2.11.1        2.15.0        GHSA-jfh8-c2jp-5v3q  Critical  
log4j-api                2.11.1        2.16.0        GHSA-7rjr-3q55-vv33  Medium    
log4j-api                2.11.1        2.12.3        GHSA-p6xc-xr62-6r2g  High      
log4j-api                2.11.1                      CVE-2020-9488        Low       
log4j-api                2.11.1                      CVE-2021-44228       Critical  
log4j-api                2.11.1                      CVE-2021-45046       Low       
log4j-core               2.13.0        2.13.2        GHSA-vwqq-5vrc-xw9h  Medium    
log4j-core               2.13.0        2.15.0        GHSA-jfh8-c2jp-5v3q  Critical  
log4j-core               2.13.0        2.16.0        GHSA-7rjr-3q55-vv33  Medium    
log4j-core               2.13.0        2.17.0        GHSA-p6xc-xr62-6r2g  High      
log4j-core               2.13.0                      CVE-2020-9488        Low       
log4j-core               2.13.0                      CVE-2021-44228       Critical  
log4j-core               2.13.0                      CVE-2021-45046       Low       
log4j-core               2.11.1        2.13.2        GHSA-vwqq-5vrc-xw9h  Medium    
log4j-core               2.11.1        2.15.0        GHSA-jfh8-c2jp-5v3q  Critical  
log4j-core               2.11.1        2.16.0        GHSA-7rjr-3q55-vv33  Medium    
log4j-core               2.11.1        2.12.3        GHSA-p6xc-xr62-6r2g  High      
log4j-core               2.11.1                      CVE-2020-9488        Low       
log4j-core               2.11.1                      CVE-2021-44228       Critical  
log4j-core               2.11.1                      CVE-2021-45046       Low       
log4j-slf4j-impl         2.11.1                      CVE-2020-9488        Low       
log4j-slf4j-impl         2.11.1                      CVE-2021-44228       Critical  
log4j-slf4j-impl         2.11.1                      CVE-2021-45046       Low

@seriva
Copy link
Collaborator

seriva commented Dec 20, 2021

License wise for sure we cannot include these binaries inside our repo. Cant we just install from tar.gz? If not we probably need to include it and extract and copy.

@rafzei rafzei marked this pull request as ready for review December 22, 2021 08:59
seriva
seriva previously approved these changes Dec 22, 2021
View reviewed changes
erzetpe
erzetpe previously approved these changes Dec 27, 2021
View reviewed changes
to-bar
to-bar suggested changes Dec 28, 2021
View reviewed changes
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/configure-es.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log4j-patch.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/upgrade/tasks/opendistro_for_elasticsearch-01.yml Outdated Show resolved Hide resolved
ansible/playbooks/roles/upgrade/tasks/opendistro_for_elasticsearch-01.yml Outdated Show resolved Hide resolved
@seriva seriva dismissed stale reviews from erzetpe and themself via c37fec4 December 29, 2021 08:11
seriva and others added 8 commits December 29, 2021 09:11
@seriva @to-bar
Update ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log…
816d1c4 
…4j-patch.yml

Co-authored-by: to-bar <[email protected]>
@seriva @to-bar
Update ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log…
394d890 
…4j-patch.yml

Co-authored-by: to-bar <[email protected]>
@seriva @to-bar
Update ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log…
4830d13 
…4j-patch.yml

Co-authored-by: to-bar <[email protected]>
@seriva @to-bar
Update ansible/playbooks/roles/upgrade/tasks/opendistro_for_elasticse…
31c6dae 
…arch-01.yml

Co-authored-by: to-bar <[email protected]>
@seriva @to-bar
Update ansible/playbooks/roles/upgrade/tasks/opendistro_for_elasticse…
64f5a63 
…arch-01.yml

Co-authored-by: to-bar <[email protected]>
@seriva @to-bar
Update ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/log…
b6c3046 
…4j-patch.yml

Co-authored-by: to-bar <[email protected]>
@seriva @to-bar
Update ansible/playbooks/roles/opendistro_for_elasticsearch/tasks/con…
a2cb336 
…figure-es.yml

Co-authored-by: to-bar <[email protected]>
@seriva
Merge branch 'develop' into 2788-odfe
614c8fc
@seriva seriva requested a review from to-bar December 29, 2021 08:34
seriva
seriva previously approved these changes Dec 29, 2021
View reviewed changes
seriva
seriva previously approved these changes Dec 29, 2021
View reviewed changes
to-bar
to-bar previously approved these changes Dec 29, 2021
View reviewed changes
seriva
seriva previously approved these changes Dec 29, 2021
View reviewed changes
@seriva seriva mentioned this pull request Dec 29, 2021
Closed
13 tasks
@przemyslavic
Copy link
Collaborator

/azp run

@przemyslavic
Copy link
Collaborator

przemyslavic commented Dec 29, 2021
edited
Loading

https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz

image

v2.17.1 has already been released:
https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz
Addresses CVE-2021-44832.

However, I would vote to change the source of this package as I expect we will experience the same problem when v2.17.2 is released and it will break epicli v1.3.0 when released.

@seriva seriva dismissed stale reviews from to-bar and themself via fe5d508 December 29, 2021 14:39
@przemyslavic
Copy link
Collaborator

/azp run

@seriva seriva requested review from to-bar and erzetpe December 29, 2021 14:49
@seriva
Copy link
Collaborator

seriva commented Dec 29, 2021

https://dlcdn.apache.org/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz

image

v2.17.1 has already been released: https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz Addresses CVE-2021-44832.

However, I would vote to change the source of this package as I expect we will experience the same problem when v2.17.2 is released and it will break epicli v1.3.0 when released.

Switched to https://archive.apache.org repo and updated versions to 2.17.1 as it contains this one more fix.

@przemyslavic
Copy link
Collaborator

przemyslavic commented Dec 29, 2021
edited
Loading

✔️ new deployments:

[operations@ci-l4jazurcentcanal-logging-vm-1 ~]$ find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.17.1.jar

✔️ upgrades
Before:

[root@ec2-1-1-1-1 elasticsearch]# find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.11.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.13.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.13.0.jar

After upgrading

[root@ec2-1-1-1-1 elasticsearch]# find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
  • One minor note, I think when doing a cleanup we should remove .tar.gz file from the /tmp directory, shouldn't we?
[operations@ci-l4jazurcentcanal-logging-vm-1 ~]$ ls /tmp/apache-log4j*
/tmp/apache-log4j-2.17.1-bin.tar.gz

edit: OK, it's temp directory so should be cleaned up automatically.

Tested on x86_64 and aarch64, all OSes, all cloud providers, apply + re-apply, upgrade + re-upgrade.

@seriva
Copy link
Collaborator

seriva commented Dec 30, 2021

✔️ new deployments:

[operations@ci-l4jazurcentcanal-logging-vm-1 ~]$ find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.17.1.jar

✔️ upgrades Before:

[root@ec2-1-1-1-1 elasticsearch]# find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.11.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.13.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.13.0.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.13.0.jar

After upgrading

[root@ec2-1-1-1-1 elasticsearch]# find /usr/share/elasticsearch/ -type f -name "log4j*.jar"
/usr/share/elasticsearch/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro_security/log4j-slf4j-impl-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/plugins/opendistro-performance-analyzer/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-api-2.17.1.jar
/usr/share/elasticsearch/performance-analyzer-rca/lib/log4j-core-2.17.1.jar
  • One minor note, I think when doing a cleanup we should remove .tar.gz file from the /tmp directory, shouldn't we?
[operations@ci-l4jazurcentcanal-logging-vm-1 ~]$ ls /tmp/apache-log4j*
/tmp/apache-log4j-2.17.1-bin.tar.gz

edit: OK, it's temp directory so should be cleaned up automatically.

Tested on x86_64 and aarch64, all OSes, all cloud providers, apply + re-apply, upgrade + re-upgrade.

@przemyslavic Besides replacing the jars, you also verified that opendistro is working after this right:)

@przemyslavic
Copy link
Collaborator

przemyslavic commented Dec 30, 2021
edited
Loading

Yeah, it looks good. Verified Elasticsearch and Kibana services. Also checked elasticsearch logs.

[centos@ec2-1-1-1-1 ~]$ sudo ls -lah /var/log/elasticsearch/
total 2.3M
drwxr-s---.  2 elasticsearch elasticsearch 4.0K Dec 30 08:45 .
drwxr-xr-x. 12 root          root          4.0K Dec 30 08:49 ..
-rw-r--r--.  1 elasticsearch elasticsearch 1.4K Dec 30 09:12 EpiphanyElastic_deprecation.json
-rw-r--r--.  1 elasticsearch elasticsearch 672K Dec 30 09:31 EpiphanyElastic_deprecation.log
-rw-r--r--.  1 elasticsearch elasticsearch    0 Dec 30 08:45 EpiphanyElastic_index_indexing_slowlog.json
-rw-r--r--.  1 elasticsearch elasticsearch    0 Dec 30 08:45 EpiphanyElastic_index_indexing_slowlog.log
-rw-r--r--.  1 elasticsearch elasticsearch    0 Dec 30 08:45 EpiphanyElastic_index_search_slowlog.json
-rw-r--r--.  1 elasticsearch elasticsearch    0 Dec 30 08:45 EpiphanyElastic_index_search_slowlog.log
-rw-r--r--.  1 elasticsearch elasticsearch 221K Dec 30 09:31 EpiphanyElastic.log
-rw-r--r--.  1 elasticsearch elasticsearch 355K Dec 30 09:31 EpiphanyElastic_server.json
-rw-r--r--.  1 elasticsearch elasticsearch 425K Dec 30 09:31 gc.log
-rw-r--r--.  1 elasticsearch elasticsearch 2.0K Dec 30 08:45 gc.log.00

image

@seriva seriva merged commit 66e11f3 into hitachienergy:develop Dec 30, 2021
@rafzei rafzei deleted the 2788-odfe branch February 8, 2022 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@to-bar to-bar to-bar approved these changes

@przemyslavic przemyslavic przemyslavic approved these changes

@seriva seriva seriva approved these changes

@erzetpe erzetpe Awaiting requested review from erzetpe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rafzei @seriva @przemyslavic @erzetpe @to-bar