What is Log4Shell, and How Can You Tell if You’re Affected?

Eric Gregory - December 16, 2021 - , , , , ,

On December 9, 2021, Apache disclosed a critical severity vulnerability in its Log4j 2 logging utility, which records activity within Java applications. The vulnerability impacts all Apache Log4j 2 versions prior to 2.15.0.

The Mirantis team has confirmed that most of our products are unaffected by the vulnerability; the few issues we found were of low severity.

Customers who wish to assess whether their workload software is affected can use Mirantis Secure Registry (MSR). We have updated the vulnerability database in MSR to scan for the Log4j vulnerability CVE-2021-44228.

What is CVE-2021-44228 or Log4Shell?

The zero-day vulnerability designated CVE-2021-4428 — and known more informally as Log4Shell — allows an attacker to take control of a server running Log4j by injecting malicious code into most available input surfaces. The logger keeps track of activity on the server, and when it parses the malicious code, the server is compromised.

The U.S. National Vulnerability Database rates CVE-2021-44228 as a 10 out of 10 on its severity scale. The vulnerability is particularly troubling because Log4j is widely used, and because it is so easy to exploit. For example, in the Java edition of the popular online game Minecraft, attackers were able to assume control of servers simply by entering malicious code in the game’s chat, prompting the publisher to post patch instructions.

Unfortunately, many applications are built on technologies that rely on the Log4j library, including iCloud, Twitter, VMware vCenter, a variety of Apache tools, and many, many more.

Mirantis product impacts

Most of our products were unaffected by the vulnerability, and full details can be found on our GitHub security update page.

Not impacted:

  • Mirantis Container Runtime
  • Mirantis Kubernetes Engine
  • Mirantis Secure Registry
  • Mirantis OpenStack
  • Lens
  • k0s

Customers using these products do not need to take any action.

For our two affected products, customers should note that the vulnerability severity is low, and components are not vulnerable to Remote Code Execution.

Impacted:

  • Lens Spaces – Patches have been applied and no indicators of compromise have been observed. Customers do not need to take any action.
  • Mirantis Cloud Platform (MCP) up to and including 2019.2.16 – The MCP StackLight ElasticSearch component is impacted by a potential leak of information by DNS. The component is not vulnerable to Remote Code Execution. Given the limited data which can be leaked, the Mirantis PSIRT scores the vulnerability severity as LOW (CVSSv3.1 score 3.6).

Recommended Customer Actions:

On MCP StackLight nodes, append -Dlog4j2.formatMsgNoLookups=true to the file /etc/elasticsearch/jvm.options and execute systemctl restart elasticsearch to restart the elasticsearch process. It is recommended to upgrade to MCP 2019.2.17 when available.

How to assess vulnerability in your workloads

Mirantis Secure Registry has been updated to scan for CVE-2021-4428. Customers should check for a vulnerability database update in MSR, apply any new updates, and perform a scan. MSR will detect Log4j and report on any vulnerabilities.

Identifying, mitigating, and resolving Log4Shell vulnerabilities will be a long process, given how deeply ingrained Log4j is in so many technologies. That path begins with identifying components that may be affected — we strongly recommend that all organizations scan their registries as soon as possible, and reach out to relevant vendors for assistance.

banner-img
test
tst
tst
Cloud Native 5 Minutes at a Time: Creating, Observing, and Deleting Containers

One of the biggest challenges for implementing cloud native technologies is learning the fundamentals — especially when you need to fit your learning in a busy schedule. In this series, we’ll break down core cloud native concepts, challenges, and best practices into short, manageable exercises and explainers, so you can learn five minutes at a time. These lessons assume a basic …

Cloud Native 5 Minutes at a Time: Creating, Observing, and Deleting Containers
Cloud Native 5 Minutes at a Time: What is a Container?

One of the biggest challenges for implementing cloud native technologies is learning the fundamentals — especially when you need to fit your learning in a busy schedule. In this series, we’ll break down core cloud native concepts, challenges, and best practices into short, manageable exercises and explainers, so you can learn five minutes at a time. These lessons assume a basic …

Cloud Native 5 Minutes at a Time: What is a Container?
Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)

Note: this blog post was originally published by Avinash Desireddy on Medium. You can view the original post here. Docker Containers, Kubernetes, CNCF, and many other relevant projects completely changed how we package, ship, and run applications. As you all know, Kubernetes has become a defacto standard for running applications. At the same time, container registries and chart repositories play a …

Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)
FREE EBOOK!
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
DOWNLOAD
WHITEPAPER
The Definitive Guide to Container Platforms
READ IT NOW
LIVE WEBINAR
Manage your cloud-native container environment with Mirantis Container Cloud

Wednesday, January 5 at 10:00 am PST
SAVE SEAT