Log4j vulnerability patch for 2.0.x release notes
This patch addresses the log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4104 on Cloud Pak for Data System 2.0.x.
Before you begin
- During the process, the nodes are rebooted in a rolling reboot to apply the new version. The time for the upgrade depends on the number of nodes in the system.
- No downtime is required for this upgrade, however, if there are no spare nodes to run the application, application downtime might be required.
Procedure
- Make sure the cluster is in good health prior to applying this fix by running the following
commands and checking the results:
Check the output in theoc get nodes
STATUS
column to verify that the entry for each node isReady
.-
oc get mcp
Check the output in the
UPDATED
column to verify that the entry for each machine config pool isTrue
. -
oc get co
Check the output in the
AVAILBLE
column and verify that the entry for each cluster operator isTrue
.Check the output in the
DEGRADED
column and verify that the entry for each cluster operator isFalse
.
- Download the
1.0.0.0-openshift-4.6.log4j-WS-ICPDS-fpxxx
package from FixCentral. - Transfer the fix bundle file to node e1n1.
The recommended download location on e1n1 is /root.
- Make sure the current directory is the one containing the downloaded log4j fix bundle. Extract
the fix bundle by running this
command:
This will extract the following files:tar -xvf openshift-4.6.log4j.tar.gz
readme.log4j_fix mirror-ocp46.tar.gz upgrade_ocp.py patch_elasticsearch.py
- Make sure the current directory is the one that contains the upgrade_ocp.py
file extracted from the fix bundle.Perform the OpenShift Container Platform upgrade by running the following command:
./upgrade_ocp.py
Tip: If the log4j fix bundle was extracted to any location other than /root, then run the command like this:
where./upgrade_ocp.py -f <mirror-file-path>
<mirror-file-path>
is the full path to themirror-ocp46.tar.gz
file extracted from the fix bundle. - Check the status of the upgrade by running this
command:
oc adm upgrade
Check the first line of the output. It should either show a percent complete message like this:
or show that the upgrade is completed, like this:info: An upgrade is in progress. Working towards 4.6.53: 20% complete
Cluster version is 4.6.53
You can ignore any other output, such as a warning that it cannot display available updates.
- Apply the following workaround on each node if it is stuck in machine config reboot state as
described in https://access.redhat.com/solutions/5598401:
rpm-ostree status /run/bin/machine-config-daemon pivot 'quay.io/openshift-release-dev/ocp-v4.0-art-dev@<sha-id>' rpm-ostree status systemctl restart ostree-finalize-staged.service reboot
- Once the OpenShift Container Platform upgrade on the cluster has completed with all the nodes in
Ready state, patch the
elasticsearch
(OpenShift Logging) component by running the following command:./patch_elasticsearch.py