CVE-2021-44228 - log4j2

Indexima continues its analysis on the vulnerability CVE-2021-44228 identified on 09th Dec 2021.

We will update this page with information and protection details as they become available.

Summary

CVE-2021-44228 (Log4Shell) is a vulnerability that affects the library Apache Log4J. It allows executing remote code.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Indexima contains some exposed log4j2 libraries. Thus Indexima is concerned by this vulnerability.

Impact

In order to exploit this vulnerability, the Indexima server needs to connect to a malicious server. Thus if outbound connections outside the internal network or unknown addresses are blocked, we consider this to be a minor risk.

Otherwise, we consider this to be a major risk.

Mitigation

[initial Version 13th Dec 2021] ~~You are already protected if you have installed a Java version over 8u121 (see Java™ SE Development Kit 8, Update 121 Release Notes ).~~
[14th Dec 2021]: Java Version Up to 8u191 neutralizes the vulnerability (by preventing the execution of any downloaded remote code).
[14th Dec 2021]: Filter outbound traffic from Indexima servers towards only trusted servers.
[14th Dec 2021]: Indexima will release a service pack containing the fix (Java library update to 2.15.0 as advised in the documentation sites). We will communicate the release date in the next update.
[20th Dec 2021]: Indexima released a service pack containing the fix (Java library update to 2.15.0 as advised in the documentation sites)
- The patch version is 2021.5.sp3: Go to https://download.indexima.com/release/2021.5/3/
- Documentation is up to date: Go to 2021.5 - Services Packs

Workarounds [14th Dec 2021]

The workaround consists in configuring the property log4j2.formatMsgNoLookups to TRUE. You can add the -Dlog4j2.formatMsgNoLookups=true argument to the startup scripts of Indexima.

A restart of Indexima would be required.

Galactica

StandAlone Mode - Linux & YARN

Modify galactica_env.sh

galactica_env.sh - Before

CODE

# JVM options defined here will be set on the node server command line (start-node.sh)
NODESERVER_JVM_OPTIONS=${ATLAS} ${SOLR_JAAS_CLIENT_CONFIG_OPTION}

galactica_env.sh - After Modification

CODE

# JVM options defined here will be set on the node server command line (start-node.sh)
NODESERVER_JVM_OPTIONS="${ATLAS} ${SOLR_JAAS_CLIENT_CONFIG_OPTION} -Dlog4j2.formatMsgNoLookups=true"

StandAlone Mode - Windows

Modify galactica_env.bat

galactica_env.bat - Before

CODE

REM JVM options defined here will be set on the node server command line (start-node.sh)
set NODESERVER_JVM_OPTIONS=%SOLR_JAAS_CLIENT_CONFIG_OPTION%

galactica_env.bat - After Modification

CODE

REM JVM options defined here will be set on the node server command line (start-node.sh)
set NODESERVER_JVM_OPTIONS=%SOLR_JAAS_CLIENT_CONFIG_OPTION% -Dlog4j2.formatMsgNoLookups=true

Visualdoop2

StandAlone Mode - Linux & YARN

Modify start.sh

start.sh - Before

CODE

$JAVA_HOME/bin/java ${INSTANCE_NAME} -cp :config:lib/*:driver/*:web:templates:$VISUALDOOP_LIB com.visualdoop.Visualdoop

start.sh - After Modification

CODE

$JAVA_HOME/bin/java ${INSTANCE_NAME} -Dlog4j2.formatMsgNoLookups=true -cp :config:lib/*:driver/*:web:templates:$VISUALDOOP_LIB com.visualdoop.Visualdoop

StandAlone Mode - Windows

Modify start.bat

start.bat - Before

CODE

%JAVA_HOME%\bin\java -cp config;lib\*;driver\*;web;templates;%VISUALDOOP_LIB%;. com.visualdoop.Visualdoop

start.bat - After Modification

CODE

%JAVA_HOME%\bin\java -Dlog4j2.formatMsgNoLookups=true -cp config;lib\*;driver\*;web;templates;%VISUALDOOP_LIB%;. com.visualdoop.Visualdoop

DOCUMENTATION

Versions

13th Dec 2021: initial Version
14th Dec 2021: Update with workarounds & JRE version
20th Dec 2021: Update with the release of the sp3 of version 2021.5 containing the patch