Log4j Vulnerability

The versions of OpenIAM listed below are impacted by the Log4j vulnerability.

  • Version 4.2.0.8 and earlier
  • Version 4.2.1.1 and 4.2.1.0

Versions 4.2.0.9, 4.2.1.2, and 4.2.2 contain updated versions of Log4j and are not impacted by this vulnerability.

The sections describes configurations to resolve this vulnerability. The sections are organized by the type of deployment.

Docker swarm deployments

Update the following yaml files with the environment variable shown below.

  • 3.2/infrastructure/elasticsearch/docker-compose.yaml
  • 3.2/infrastructure/cassandra/docker-compose.yaml (OpenIAM >=4.2.1)
  • 3.2/infrastructure/kibana/docker-compose.yaml
  • 3.2/infrastructure/metricbeat/docker-compose.yaml
  • 3.2/infrastructure/filebeat/docker-compose.yaml
environment:
LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"

For Elasticsearch, you will also need to add the following -D arg: -Dlog4j2.formatMsgNoLookups=true

For example, the elasticsearch docker-compose.yaml will resemble the example below:

environment:
- "LOG4J_FORMAT_MSG_NO_LOOKUPS=true"
- "OPENIAM_LOG_LEVEL=${OPENIAM_BASH_LOG_LEVEL}"
- "bootstrap.memory_lock=true"
- "ELASTICSEARCH_DISCOVERY_URL=${ELASTICSEARCH_DISCOVERY_URL}"
- "ELASTICSEARCH_DISCOVERY_TYPE=${ELASTICSEARCH_DISCOVERY_TYPE}"
- "ES_JAVA_OPTS=-Xms1024m -Xmx1024m -Des.discovery.zen.ping.multicast.enable=false -Des.discovery.zen.ping.unicast.hosts={ELASTICSEARCH_DISCOVER_URL} -Dlog4j2.formatMsgNoLookups=true"

For filebeat, the environment section will look like this:

environment:
LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"

RPM Deployments

Update the Elasticsearch jvm options file

  • Edit file /etc/elasticsearch/jvm.options
  • Add the following environment variable" -Dlog4j2.formatMsgNoLookups=true and save the file
  • Restart elasticsearch systemctl restart elasticsearch

For OpenIAM version 4.2.1 and 4.2.1.1, follow the steps shown below:

  • Update the following files
    • /etc/cassandra/conf/jvm-server.options
    • /etc/cassandra/conf/jvm-clients.options
  • Add the following environment variable: -Dlog4j2.formatMsgNoLookups=true
  • Restart Cassandra: service cassandra restart

Kubernetes

For kubernetes deployments, you will have to do the following:

  • modify the extraEnvs in metricbeat.values.yaml, filebeat.values.yaml, and kibana.values.yaml to include the required environment variable:
extraEnvs:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: true

You will have to re-run ./setup.sh after making these modifications, and redeploy (either using helm or terraform). In addition, you will have to do the following, depending on if you are using terraform or helm:

Kubernetes with Terraform deployments

For deployments which use Kubernetes and the OpenIAM Terraform scripts, follow the steps described below:

  • Modify the elasticsearch.helm.esJavaOpts property as shown below.
elasticsearch = {
.
# use only when deploying to GKE or Local Kubernetes Cluster
helm = {
esJavaOpts = "-XshowSettings:vm -Xmx1536m -Xms1536m -Dlog4j2.formatMsgNoLookups=true"

Kubernetes without Terraform deployments

For deployments which use Kubernetes, but do not make use of the OpenIAM Terraform scripts, follow the steps described below:

  • Append -Dlog4j2.formatMsgNoLookups=true to the helm property elasticsearch.helm.esJavaOpts when deploying elasticsearch via helm