Powered by Algolia

    Log4j Vulnerability

    The versions of OpenIAM listed below are impacted by the Log4j vulnerability.

    • Version 4.2.0.8 and earlier
    • Version 4.2.1.2 and 4.2.1.0

    Versions 4.2.0.9, 4.2.1.2, and 4.2.2 contain updated versions of Log4j and are not impacted by this vulnerability.

    The sections describes configurations to resolve this vulnerability. The sections are organized by the type of deployment.

    Docker swarm deployments

    Update the following yaml files with the environment variable shown below.

    • 3.2/infrastructure/elasticsearch/docker-compose.yaml
    • 3.2/infrastructure/cassandra/docker-compose.yaml (OpenIAM >=4.2.1)
    • 3.2/infrastructure/kibana/docker-compose.yaml
    • 3.2/infrastructure/metricbeat/docker-compose.yaml
    • 3.2/infrastructure/filebeat/docker-compose.yaml
    environment:
      LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"

    For Elasticsearch, you will also need to add the following -D arg: -Dlog4j2.formatMsgNoLookups=true

    For example, the elasticsearch docker-compose.yaml will resemble the example below:

    environment:
    - "LOG4J_FORMAT_MSG_NO_LOOKUPS=true"
    - "OPENIAM_LOG_LEVEL=${OPENIAM_BASH_LOG_LEVEL}"
    - "bootstrap.memory_lock=true"
    - "ELASTICSEARCH_DISCOVERY_URL=${ELASTICSEARCH_DISCOVERY_URL}"
    - "ELASTICSEARCH_DISCOVERY_TYPE=${ELASTICSEARCH_DISCOVERY_TYPE}"
    - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m -Des.discovery.zen.ping.multicast.enable=false -Des.discovery.zen.ping.unicast.hosts={ELASTICSEARCH_DISCOVER_URL} -Dlog4j2.formatMsgNoLookups=true"

    For filebeat, the environment section will look like this:

    environment:
      LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"

    RPM Deployments

    Update the Elasticsearch jvm options file

    • Edit file /etc/elasticsearch/jvm.options
    • Add the following environment variable" -Dlog4j2.formatMsgNoLookups=true and save the file
    • Restart elasticsearch systemctl restart elasticsearch

    For OpenIAM version 4.2.1 and 4.2.1.2, follow the steps shown below:

    • Update the following files
      • /etc/cassandra/conf/jvm-server.options
      • /etc/cassandra/conf/jvm-clients.options
    • Add the following environment variable: -Dlog4j2.formatMsgNoLookups=true
    • Restart Cassandra: service cassandra restart

    Kubernetes

    For kubernetes deployments, you will have to do the following:

    • modify the extraEnvs in metricbeat.values.yaml, filebeat.values.yaml, and kibana.values.yaml to include the required environment variable:
    extraEnvs:
      - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
        value: true

    You will have to re-run ./setup.sh after making these modifications, and redeploy (either using helm or terraform). In addition, you will have to do the following, depending on if you are using terraform or helm:

    Kubernetes with Terraform deployments

    For deployments which use Kubernetes and the OpenIAM Terraform scripts, follow the steps described below:

    • Modify the elasticsearch.helm.esJavaOpts property as shown below.
    elasticsearch = {
    

    .
    

        # use only when deploying to GKE or Local Kubernetes Cluster
    

        helm = {
    

            esJavaOpts = "-XshowSettings:vm -Xmx1536m -Xms1536m -Dlog4j2.formatMsgNoLookups=true"

    Kubernetes without Terraform deployments

    For deployments which use Kubernetes, but do not make use of the OpenIAM Terraform scripts, follow the steps described below:

    • Append -Dlog4j2.formatMsgNoLookups=true to the helm property elasticsearch.helm.esJavaOpts when deploying elasticsearch via helm
    Previous
    Upgrade from community version 4.2.0.x to enterprise version 4.2.1.2
    Next
    Administration Guide