Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tracking Log4J CVE-2021-44228 Fixes #2007

Closed
alxp opened this issue Dec 13, 2021 · 3 comments
Closed

Tracking Log4J CVE-2021-44228 Fixes #2007

alxp opened this issue Dec 13, 2021 · 3 comments
Labels
Security

Comments

@alxp
Copy link
Contributor

alxp commented Dec 13, 2021
edited
Loading

Setting this up to track our responses to the Log4J security issue. https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

Playbook

PR Islandora-Devops/islandora-playbook#209

Per initial instructions this PR sets a global environment variable as per the CVE announcement. This can also be done by hand, or the following to set Java settings directly:

"(Linux/MacOS) Edit your solr.in.sh file to include:
SOLR_OPTS=""$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
" Edit your solr-exporter script to include:
JAVA_OPTS=""$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"""

The PR also includes a Solr version update which contains the latest version of Log4j. This will not force an update of an existing site, for that you should update Solr manually.

Additionally, the playbook now does a scan for Log4J 2.x JARs and directly removes the JndiLookup class where it is found. This is the surest mitigation so far.

Force update Solr

If you'd like to force Ansible to update Solr without losing your data, you can remove the two files noted in this comment on the Geerlingguy Solr project.

ISLE

Follow the discussion in the #ISLE channel on Islandora's Slack
@jasonhildebrand
Copy link

It would be helpful to see a list of affected components. SOLR certainly. Are there others? Or is this still being assessed?

@kstapelfeldt
Copy link
Member

kstapelfeldt commented Jan 5, 2022
edited
Loading

From the tech call

  • What was the issue? - find something from media or web that outlines this problem.
  • Where all of the instances of log4j can be found and versions?
  • For the Islandora stack, Log4j was only a problem in some Solr versions (8.x primarily. Recommended version is now 8.11.1) The specific version for Log4j 2.x below 16.
  • Steps taken to mitigate the Log4j vulnerabilities?
  • How it was tested to prove that the current Islandora version isn’t susceptible to the log4j vulnerabilities? A discussion in Islandora slack suggests that Log4j vulnerability is not relevant in the version of Solr utilized by existing Islandora deployment methods. A pull request was authored to bump the version of solr used by the Ansible Playbook. For ISLE 7, a fix was deployed. See also slack discussions: https://islandora.slack.com/archives/C02QUTC53L5/p1639634033022700 and https://islandora.slack.com/archives/C02QUTC53L5/p1640100450075500?thread_ts=1640008295.070700&cid=C02QUTC53L5
  • Are there any special steps needed by users to integrate the changes (if any)?
  • Is there any documentation where people can go for additional information?

@alxp alxp mentioned this issue Jan 6, 2022
Merged
@alxp
Copy link
Contributor Author

alxp commented Jan 6, 2022

The Playbook PR is in need of a tester from outside of my organization.

@rosiel rosiel closed this as completed Sep 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
Islandora Issues Queue
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alxp @kstapelfeldt @rosiel @jasonhildebrand