Log4j vulnerability patch 1.0.0.1 for versions 1.0.7.x - Release notes

This patch addresses the log4j vulnerabilities on Cloud Pak for Data System version 1.0.7.6 and later 1.0.7.x versions. The patch also includes the contents of the previous 1.0.0.0 patch.

The following vulnerabilities are addressed:
CVE-2021-44832
CVE-2021-44228
CVE-2021-45046

Before you begin

  • The patch is applicable to Cloud Pak for Data System version 1.0.7.6 and 1.0.7.7. For earlier versions, a manual procedure is available at https://www.ibm.com/support/pages/node/6527312.
  • The estimated run time is 5-10 minutes, depending on system size. System state is not impacted, no downtime is required.
  • The patch is executed by running apply_fix.sh script. The script applies the fix on all the VM nodes. NPS nodes are not affected.
  • The script only runs on enabled nodes. If any non-NPS nodes on your system are disabled, the script will not apply the fix until you enable them. You can re-run this script once they are enabled.

Procedure

  1. Download the 1.0.0.1-openshift-3.11.log4j-WS-ICPDS-fpxxx package from Fix Central.
  2. On control VM e1n1-1-control create the directory, for example, patch:
    ssh e1n1-1-control
    mkdir patch

    and copy the downloaded tar file under this directory.
  3. Untar the file using tar -xzvf command:
    [root@e1n1-1-control patch3]# tar -xzvf openshift-3.11-log4j.tar.gz
    apply_fix.sh
    ose-logging-elasticsearch5-v3.11.570-2.ge84e80c.tar
    README.md
    [root@e1n1-1-control patch3]#
  4. Run script apply_fix.sh. It applies the fix on:
    • OpenShift Logging, if enabled
    Sample outputs:
    • With OpenShift Logging disabled:

      [root@e1n1-1-control patch]# sh apply_fix.sh
      No resources found.
      Fix is not applicable as openshift-logging is not enabled on this system
      
      [root@e1n1-1-control patch]#
    • With OpenShift Logging enabled:
      [root@e1n1-1-control patch3]# ./apply_fix.sh                                                                                                                            ===========================================
      Applying fix - openshift-logging is enabled
      ===========================================
      Now using project "openshift-logging" on server "https://apphub.fbond:8443".
      >>> Load new container image on all OpenShift nodes
      Pseudo-terminal will not be allocated because stdin is not a terminal.
      FIPS mode initialized
      
      >>> e1n1-1-control.fbond - verify appmgnt mounted
      mount.nfs: /opt/ibm/appmgt is busy or already mounted
      already mounted
      >>> e1n1-1-control.fbond - load new container image
      Getting image source signatures
      Copying blob sha256:f8dd3fee1ec29e128c537895410fcd443bccbb317490fb4a312fdfa42f02133e
      Copying blob sha256:dbbc9ddce71e1fff2fbf111f90ef6374da2788ee88ea55cba811dad4070e41f1
      Copying blob sha256:9317c0d5211ba25c2d4a671312e5d0d5a356fe604760f9d6fd48ac702412d04d
      Copying blob sha256:ec4020c026f0b26d30be2bbee477ad47331e7ce684c6b8206d43cf8fe6411c61
      Copying config sha256:52d6e057954e45a86074c918ca24c8bb7a293d3ff9b72c6df659e206c351f6ae
      Writing manifest to image destination
      Storing signatures
      Loaded image(s): @52d6e057954e45a86074c918ca24c8bb7a293d3ff9b72c6df659e206c351f6ae
      >>> e1n1-1-control.fbond - tag image to v3.11.188
      >>> e1n1-1-control.fbond - check logging elasticsearch images on node
      REPOSITORY                                                         TAG         IMAGE ID       CREATED       SIZE
      registry.access.redhat.com/openshift3/ose-logging-elasticsearch5   v3.11.188   52d6e057954e   13 days ago   524 MB
      registry.access.redhat.com/openshift3/ose-logging-elasticsearch5   v3.11.154   688f74339a47   2 years ago   745 MB
      >>> e1n1-1-control.fbond - image loading finished
      
      ...
      >>> Rollout openshift-logging deployment config
      deploymentconfig.apps.openshift.io/logging-es-data-master-5f8pipqn rolled out
              image: registry.access.redhat.com/openshift3/ose-logging-elasticsearch5:v3.11.188
      NAME                                      READY     STATUS    RESTARTS   AGE
      logging-es-data-master-5f8pipqn-1-bt2p8   2/2       Running   0          3m
      >>> Wait a minute for rollout of openshift-logging deployment config
      >>> Check status of openshift-logging deployment config
      NAME                                      READY     STATUS    RESTARTS   AGE
      logging-es-data-master-5f8pipqn-2-5mxnz   2/2       Running   0          50s
      >>> Confirm fix applied
      >>> done: Validated new image is used
      >>> updated version: /var/tmp/elasticsearch-5.6.16/lib/log4j-core-2.17.1.jar
      >>> updated version: /usr/share/elasticsearch/lib/log4j-core-2.17.1.jar
      >>> done: Fix applied successfully
      [root@e1n1-1-control patch3]#
    • With disabled node and OpenShift Logging enabled:
      [root@e1n1-1-control patch]# sh apply_fix.sh
      ===========================================
      Applying fix - openshift-logging is enabled
      ===========================================
      Now using project "openshift-logging" on server "https://apphub.fbond:8443".
      >>> Load new container image on all OpenShift nodes
      Pseudo-terminal will not be allocated because stdin is not a terminal.
      FIPS mode initialized
      
      >>> e1n1-1-control.fbond - verify appmgnt mounted
      …
      >>> e4n1-1-db2wh.fbond - image loading finished
      
      >>> Rollout openshift-logging deployment config
      deploymentconfig.apps.openshift.io/logging-es-data-master-vzw8ge0f rolled out
              image: registry.access.redhat.com/openshift3/ose-logging-elasticsearch5:v3.11.188
      NAME                                      READY     STATUS    RESTARTS   AGE
      logging-es-data-master-vzw8ge0f-3-t4bw7   2/2       Running   0          11h
      >>> Wait a minute for rollout of openshift-logging deployment config
      >>> Check status of openshift-logging deployment config
      NAME                                      READY     STATUS    RESTARTS   AGE
      logging-es-data-master-vzw8ge0f-4-qdxqx   2/2       Running   0          45s
      >>> Confirm fix applied
      >>> done: Validated new image is used
      >>> Fix applied on Ready nodes, To apply fix on NotReady nodes: e3n1-1-control.fbond          
      e3n1-2-worker.fbond
      >>> Please rerun the script when nodes are in Ready state.
      
      [root@e1n1-1-control patch]#