Log4Shell RCE 0-day exploit
CrateDB is not affected by the later published CVEs when used with default configuration. The upcoming hotfix release (CrateDB 4.6.7) will update log4j to version 2.17.1
CrateDB 4.6.6 is released and includes updated log4j 2.15.0 to fix CVE-2021-44228. We recommend to upgrade your CrateDB clusters.
On Thursday (December 9th), a 0-day exploit in the commonly used Java logging library Apache Log4j 2 was discovered, see Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec.
This could lead to Remote Code Execution (RCE) by logging a certain string. CrateDB is also affected by this vulnerability.
The Swiss Government published an excellent article with much valuable information about how an exploit might work and how to mitigate it at Zero-Day Exploit Targeting Popular Java Library Log4j.
Until this new version is fully released, the agreed-on mitigation involves disabling the Log4j configuration setting
log4j2.formatMsgNoLookups (see also How to Mitigate the Issue), by providing the following option on CrateDB startup.
Either add this to your Java options:
or this to your environment variables:
The mitigation will work starting with CrateDB 3.2.0 . All other users are strongly encouraged to upgrade their instances.
All CrateDB Cloud instances have been patched. If you have any question, please contact CrateDB Support.
Start CrateDB with the following settings
CrateDB RPM / DEB packages
For users using RPM/DEB packages, those settings should be included in the
CRATE_JAVA_OPTS environment variable within the file
CrateDB container images
When running Docker, use the
LOG4J_FORMAT_MSG_NO_LOOKUPS=true environment variable when starting the container, such as:
docker run --env=LOG4J_FORMAT_MSG_NO_LOOKUPS=true --publish=4200:4200 --publish=5432:5432 crate -Cdiscovery.type=single-node
When using Docker Compose, a corresponding configuration snippet would look like:
version: "3" services: cratedb: image: crate:4.6.5 environment: LOG4J_FORMAT_MSG_NO_LOOKUPS: true ports: - "4200:4200" - "5432:5432"
When using Kubernetes, the relevant part of the StatefulSet Manifest where to add
LOG4J_FORMAT_MSG_NO_LOOKUPS=true, as per Run CrateDB on Kubernetes — CrateDB: How-Tos, is:
kind: StatefulSet apiVersion: "apps/v1" metadata: name: crate spec: serviceName: "crate-set" template: spec: containers: - name: crate image: crate:4.6.5 env: - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true"
We will keep you updated!
- CrateDB 4.6.6 tarballs are available: Index of /downloads/releases/cratedb/
- All CrateDB Cloud instances have been patched.
- Add details about Log4j version 2.10.0.
- CrateDB testing release 4.6.6 is available as RPM and DEB packages as well as container images at
- officia CrateDB docker image is published
CrateDB 3.2.0 ships with Log4j version 2.10.0, which includes the configuration setting