IBM Support

Deploying the fix for the Log4Shell vulnerability for Data Virtualization on Cloud Pak for Data 4.0

How To


Summary

A fix for the Log4Shell vulnerability for Data Virtualization is available on Data Virtualization 1.7.3 on Cloud Pak for Data 4.0.4.
Although the version of Data Virtualization that was included with Cloud Pak for Data 4.0.3 was 1.7.3, only the version of Data Virtualization that is shipped with Cloud Pak for Data 4.0.4 contains the Log4Shell fix.

Steps

You must update the Cloud Pak for Data platform to version 4.0.4 to install the Log4Shell fix for Data Virtualization. To upgrade your Cloud Pak for Data platform to 4.0.4, see the following links:

If you are upgrading from IBM Cloud Pak for Data 4.0.3, the Data Virtualization pods will restart after the db2u operator is updated. If the db2u operator subscription installPlanApproval is set to "Automatic", the Data Virtualization pods will restart when the db2u operator catalog is updated. After the restart of the Data Virtualization pods is complete, you must also manually restart the header and worker pods to complete the Log4Shell fix. This manual restart can be performed by running the following command:

current_replicas=$(oc get sts c-db2u-dv-db2u -o jsonpath="{.spec.replicas}");oc scale sts c-db2u-dv-db2u --replicas=0; sleep 3m; oc scale sts c-db2u-dv-db2u --replicas=$current_replicas

If you are upgrading from a version of IBM Cloud Pak for Data other than 4.0.3, you can restart Data Virtualization head and worker pods after the upgrade has finished successfully.

You can also run the following commands to delete old files from your updated Data Virtualization instance that contained old log4j binaries.

1. oc rsh c-db2u-dv-db2u-0
2. su - db2inst1
3. rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar
4. ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar"
5. ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar"
6. rm -rf /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.zip
7. cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config
8. cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.3_20211119_164257.zip /mnt/PV/versioned/uc_dsserver_shared/config

Additional Information

If you run a security vulnerability scanning tool on the Docker images, you might find that some of the affected packages at the affected version are still present on it. Those packages have been modified according to guidance provided by the log4j development team so that they are no longer vulnerable.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSK1AQ","label":"IBM Data Virtualization"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 December 2021

UID

ibm16527934

Page Feedback