Log4j vulnerability patch for 2.0.x release notes

This patch addresses the log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4104 on Cloud Pak for Data System 2.0.x.

Note: This patch updates Red Hat Enterprise Linux CoreOS (RHCOS) to version 4.6.53. Therefore, all CVEs addressed until RHCOS 4.6.53 are included in this patch.

Before you begin

  • During the process, the nodes are rebooted in a rolling reboot to apply the new version. The time for the upgrade depends on the number of nodes in the system.
  • No downtime is required for this upgrade, however, if there are no spare nodes to run the application, application downtime might be required.

Procedure

  1. Make sure the cluster is in good health prior to applying this fix by running the following commands and checking the results:
    1. oc get nodes
      Check the output in the STATUS column to verify that the entry for each node is Ready.
    2. oc get mcp

      Check the output in the UPDATED column to verify that the entry for each machine config pool is True.

    3. oc get co

      Check the output in the AVAILBLE column and verify that the entry for each cluster operator is True.

      Check the output in the DEGRADED column and verify that the entry for each cluster operator is False.

  2. Download the 1.0.0.0-openshift-4.6.log4j-WS-ICPDS-fpxxx package from FixCentral.
  3. Transfer the fix bundle file to node e1n1.

    The recommended download location on e1n1 is /root.

  4. Make sure the current directory is the one containing the downloaded log4j fix bundle. Extract the fix bundle by running this command:
    tar -xvf openshift-4.6.log4j.tar.gz
    This will extract the following files:
    readme.log4j_fix
    mirror-ocp46.tar.gz
    upgrade_ocp.py
    patch_elasticsearch.py
  5. Make sure the current directory is the one that contains the upgrade_ocp.py file extracted from the fix bundle.
    Perform the OpenShift Container Platform upgrade by running the following command:
    ./upgrade_ocp.py
    Tip: If the log4j fix bundle was extracted to any location other than /root, then run the command like this:
    ./upgrade_ocp.py -f <mirror-file-path>
    where <mirror-file-path> is the full path to the mirror-ocp46.tar.gz file extracted from the fix bundle.
  6. Check the status of the upgrade by running this command:
    oc adm upgrade

    Check the first line of the output. It should either show a percent complete message like this:

    info: An upgrade is in progress. Working towards 4.6.53: 20% complete
    or show that the upgrade is completed, like this:
    Cluster version is 4.6.53

    You can ignore any other output, such as a warning that it cannot display available updates.

  7. Apply the following workaround on each node if it is stuck in machine config reboot state as described in https://access.redhat.com/solutions/5598401:
    rpm-ostree status
    /run/bin/machine-config-daemon pivot 'quay.io/openshift-release-dev/ocp-v4.0-art-dev@<sha-id>'
    rpm-ostree status
    systemctl restart ostree-finalize-staged.service
    reboot
  8. Once the OpenShift Container Platform upgrade on the cluster has completed with all the nodes in Ready state, patch the elasticsearch (OpenShift Logging) component by running the following command:
    ./patch_elasticsearch.py