What is Log4Shell, and How Can You Tell if You're Affected?
On December 9, 2021, Apache disclosed a critical severity vulnerability in its Log4j 2 logging utility, which records activity within Java applications. The vulnerability impacts all Apache Log4j 2 versions prior to 2.15.0.
The Mirantis team has confirmed that most of our products are unaffected by the vulnerability; the few issues we found were of low severity.
Customers who wish to assess whether their workload software is affected can use Mirantis Secure Registry (MSR). We have updated the vulnerability database in MSR to scan for the Log4j vulnerability CVE-2021-44228.
What is CVE-2021-44228 or Log4Shell?
The zero-day vulnerability designated CVE-2021-4428 — and known more informally as Log4Shell — allows an attacker to take control of a server running Log4j by injecting malicious code into most available input surfaces. The logger keeps track of activity on the server, and when it parses the malicious code, the server is compromised.
The U.S. National Vulnerability Database rates CVE-2021-44228 as a 10 out of 10 on its severity scale. The vulnerability is particularly troubling because Log4j is widely used, and because it is so easy to exploit. For example, in the Java edition of the popular online game Minecraft, attackers were able to assume control of servers simply by entering malicious code in the game’s chat, prompting the publisher to post patch instructions.
Unfortunately, many applications are built on technologies that rely on the Log4j library, including iCloud, Twitter, VMware vCenter, a variety of Apache tools, and many, many more.
Mirantis product impacts
Most of our products were unaffected by the vulnerability, and full details can be found on our GitHub security update page.
- Mirantis Container Runtime
- Mirantis Kubernetes Engine
- Mirantis Secure Registry
- Mirantis OpenStack
Customers using these products do not need to take any action.
For our two affected products, customers should note that the vulnerability severity is low, and components are not vulnerable to Remote Code Execution.
- Lens Spaces - Patches have been applied and no indicators of compromise have been observed. Customers do not need to take any action.
- Mirantis Cloud Platform (MCP) up to and including 2019.2.16 - The MCP StackLight ElasticSearch component is impacted by a potential leak of information by DNS. The component is not vulnerable to Remote Code Execution. Given the limited data which can be leaked, the Mirantis PSIRT scores the vulnerability severity as LOW (CVSSv3.1 score 3.6).
Recommended Customer Actions:
On MCP StackLight nodes, append
-Dlog4j2.formatMsgNoLookups=true to the file
/etc/elasticsearch/jvm.options and execute
systemctl restart elasticsearch to restart the elasticsearch process. It is recommended to upgrade to MCP 2019.2.17 when available.
How to assess vulnerability in your workloads
Mirantis Secure Registry has been updated to scan for CVE-2021-4428. Customers should check for a vulnerability database update in MSR, apply any new updates, and perform a scan. MSR will detect Log4j and report on any vulnerabilities.
Identifying, mitigating, and resolving Log4Shell vulnerabilities will be a long process, given how deeply ingrained Log4j is in so many technologies. That path begins with identifying components that may be affected — we strongly recommend that all organizations scan their registries as soon as possible, and reach out to relevant vendors for assistance.