Distributed | log4j2 vulnerability repair program

Author: Bao Fengqi

Ecosun dble team development member, mainly responsible for dble demand development, troubleshooting and community problem solving. Stop talking nonsense, and come over here.

Source of this article: original submission

* Produced by the Aikesheng open source community, original content is not allowed to be used without authorization, please contact the editor and indicate the source for reprinting.

dble runs a jar package that relies on many components. When a component has a vulnerability, it needs to be repaired urgently.

Apache Log4j2

Security vulnerability description: https://nosec.org/home/detail/4917.html

Repair plan

⚠️: Option 1 can be implemented. As of 11:00 on December 14, 2021, Beijing time, log4j has officially released version 2.16.0. Related release notes: https://github.com/apache/logging-log4j2/blob/ rel/2.16.0/RELEASE-NOTES.md

⚠️: The steps 2 and 3 described below are temporary mitigation steps, and other problems are not ruled out

1. Upgrade log4j2 components

dble version: 2.19.07.x-3.21.10.x version, versions before 2.19.07.x need to try to replace the program by themselves, the official no longer provides support

Impact: Need to restart dble

step:

1.1 Stop dble

1.2 Back up the jar package of log4j on the dble server and mv to the /tmp/ directory

There are four jar packages under /path/to/dble/lib: (you need to confirm before operation)

• log4j-1.2-api-2.13.1.jar
• log4j-api-2.13.1.jar
• log4j-core-2.13.1.jar
• log4j-slf4j-impl-2.13.1.jar

Perform the following operations:

mv log4j-1.2-api-2.13.1.jar log4j-1.2-api-2.13.1.jar.bak
mv log4j-1.2-api-2.13.1.jar.bak /tmp/

1.3 Upload the relevant jar package of log4j 2.16.0 to the path /path/to/dble/lib, and change the permissions
Reference link: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/ , find other jars on this website

1.4 Repeat steps 1.2 and 1.3 to upgrade the remaining three jar packages

1.5 Start dble

2. Add configuration

dble version: theoretically full version dble adaptation

Impact: Need to restart dble

step:

Add the configuration file log4j2.component.properties under the dble configuration file /path/to/dble/conf

Modify file permissions:

Add the following configuration:

log4j2.formatMsgNoLookups=True

Ways of identifying:

The development environment verifies that the variable is loaded after restart, and will not be loaded if it is not restarted.

3. Modify jvm parameters

dble version: applicable to dble version <3.20.07.0

Dble versions 3.20.07.0 and later do not support this method due to restrictions on JVM parameters, and will be fixed in the near future.

Impact: Need to restart dble

step:

Add the following configuration in the dble configuration file /path/to/dble/conf/wrapper.cof, and restart dble.

Configuration:

Whether there is wrapper.java.additional in the original environment, the 14 in the following configuration is replaced as needed in the original environment

wrapper.java.additional.14=-Dlog4j2.formatMsgNoLookups=true

Execute the following command to determine whether to start with this parameter:

ps aux|grep dble|grep 'formatMsgNoLookups'

4. Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true

Not recommended