Astronomer Security Advisory: Log4j2 Vulnerability (CVE-2021-44228)

The Vulnerability

On December 10, a severe security vulnerability was identified in CVE-2021-44228 and has impacted a variety of internet services.

Astronomer Impact

While this vulnerability affects Astronomer Enterprise and Astronomer Cloud given the use of Elasticsearch in our stack, we have no knowledge of any active exploits against the Astronomer Platform or the particular sub-component that integrates Log4j2.

At the time of writing (Dec 11, 10am EST), Astronomer is not aware of any mechanism to exploit CVE-2021-44228 within the Astronomer platform.

Astronomer Enterprise Mitigation

The following Astronomer Enterprise patch versions were published on December 11 to address this vulnerability:

  • 0.26.5
  • 0.25.12
  • 0.23.18
  • 0.16.19

We advise all customers to upgrade to the latest patch version of their running minor version at their convenience. For instructions, read “Upgrade to an Astronomer Patch Version”.

Additional Requirement if ES_JAVA_OPTS is Set

Customers who have explicitly set ES_JAVA_OPTS in their Astronomer config.yaml file must additionally set the flag Dlog4j2.formatMsgNoLookups=true prior to upgrading to the latest Enterprise patch version.

Your configuration should look something like this:

      ES_JAVA_OPTS: "-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true"

To make this change, follow helm upgrade instructions in “Apply a Platform Configuration Change on Astronomer”.

To confirm that your change was successful, run:

kubectl -n "<namespace>" exec "statefulset/<helm_release_name>-elasticsearch-master" -c es-master -- printenv ES_JAVA_OPTS

You should see:

-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true

If you have any questions or have trouble with this, reach out to Astronomer Support. We take security vulnerabilities very seriously and are here to help.

Astronomer Cloud Mitigation

Astronomer has patched Astronomer Cloud to address CVE-2021-44228. No action is required.