A critical severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts all Apache Log4j 2 versions prior to 2.15.0. This advisory details the impact on Mirantis products.
We can confirm that the following products are not impacted
- Mirantis Container Runtime
- Mirantis Kubernetes Engine
- Mirantis Secure Registry
- Mirantis Container Cloud
- Mirantis OpenStack
- Lens
- K0s
Customers using these products do not need to take any action.
Patches1 have been applied and no indicators of compromise have been observed. Customers do not need to take any action.
Mirantis Cloud Platform (MCP) up to and including 2019.2.16
The MCP StackLight ElasticSearch component is impacted by a potential leak of information by DNS2. The component is not vulnerable to Remote Code Execution. Given the limited data which can be leaked, the Mirantis PSIRT scores the vulnerability severity as LOW (CVSSv3.1 score 3.6).
On MCP StackLight nodes, append -Dlog4j2.formatMsgNoLookups=true
to the file /etc/elasticsearch/jvm.options
and execute systemctl restart elasticsearch
to restart the elasticsearch process. It is recommended to upgrade to MCP 2019.2.17 when available.
Footnotes
-
Lens spaces uses metabase internally which was vulnerable. ↩
-
ElasticSearch on MCP uses JDK 8 https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 ↩