Log4j Vulnerability
The versions of OpenIAM listed below are impacted by the Log4j vulnerability.
- Version 4.2.0.8 and earlier
- Version 4.2.1.2 and 4.2.1.0
Versions 4.2.0.9, 4.2.1.2, and 4.2.2 contain updated versions of Log4j and are not impacted by this vulnerability.
The sections describes configurations to resolve this vulnerability. The sections are organized by the type of deployment.
Docker swarm deployments
Update the following yaml
files with the environment variable shown below.
- 3.2/infrastructure/elasticsearch/docker-compose.yaml
- 3.2/infrastructure/cassandra/docker-compose.yaml (OpenIAM >=4.2.1)
- 3.2/infrastructure/kibana/docker-compose.yaml
- 3.2/infrastructure/metricbeat/docker-compose.yaml
- 3.2/infrastructure/filebeat/docker-compose.yaml
environment:LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"
For Elasticsearch, you will also need to add the following -D
arg: -Dlog4j2.formatMsgNoLookups=true
For example, the elasticsearch docker-compose.yaml will resemble the example below:
environment:- "LOG4J_FORMAT_MSG_NO_LOOKUPS=true"- "OPENIAM_LOG_LEVEL=${OPENIAM_BASH_LOG_LEVEL}"- "bootstrap.memory_lock=true"- "ELASTICSEARCH_DISCOVERY_URL=${ELASTICSEARCH_DISCOVERY_URL}"- "ELASTICSEARCH_DISCOVERY_TYPE=${ELASTICSEARCH_DISCOVERY_TYPE}"- "ES_JAVA_OPTS=-Xms1024m -Xmx1024m -Des.discovery.zen.ping.multicast.enable=false -Des.discovery.zen.ping.unicast.hosts={ELASTICSEARCH_DISCOVER_URL} -Dlog4j2.formatMsgNoLookups=true"
For filebeat, the environment
section will look like this:
environment:LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"
RPM Deployments
Update the Elasticsearch jvm options file
- Edit file
/etc/elasticsearch/jvm.options
- Add the following environment variable"
-Dlog4j2.formatMsgNoLookups=true
and save the file - Restart elasticsearch
systemctl restart elasticsearch
For OpenIAM version 4.2.1 and 4.2.1.2, follow the steps shown below:
- Update the following files
- /etc/cassandra/conf/jvm-server.options
- /etc/cassandra/conf/jvm-clients.options
- Add the following environment variable:
-Dlog4j2.formatMsgNoLookups=true
- Restart Cassandra:
service cassandra restart
Kubernetes
For kubernetes deployments, you will have to do the following:
- modify the
extraEnvs
inmetricbeat.values.yaml
,filebeat.values.yaml
, andkibana.values.yaml
to include the required environment variable:
extraEnvs:- name: LOG4J_FORMAT_MSG_NO_LOOKUPSvalue: true
You will have to re-run ./setup.sh
after making these modifications, and redeploy (either using helm or terraform). In addition, you will have to do the following, depending on if you are using terraform or helm:
Kubernetes with Terraform deployments
For deployments which use Kubernetes and the OpenIAM Terraform scripts, follow the steps described below:
- Modify the
elasticsearch.helm.esJavaOpts
property as shown below.
elasticsearch = {….# use only when deploying to GKE or Local Kubernetes Clusterhelm = {esJavaOpts = "-XshowSettings:vm -Xmx1536m -Xms1536m -Dlog4j2.formatMsgNoLookups=true"
Kubernetes without Terraform deployments
For deployments which use Kubernetes, but do not make use of the OpenIAM Terraform scripts, follow the steps described below:
- Append
-Dlog4j2.formatMsgNoLookups=true
to the helm propertyelasticsearch.helm.esJavaOpts
when deploying elasticsearch via helm