On December 10, a severe security vulnerability was identified in CVE-2021-44228 and has impacted a variety of internet services.
While this vulnerability affects Astronomer Enterprise and Astronomer Cloud given the use of Elasticsearch in our stack, we have no knowledge of any active exploits against the Astronomer Platform or the particular sub-component that integrates Log4j2.
At the time of writing (Dec 11, 10am EST), Astronomer is not aware of any mechanism to exploit CVE-2021-44228 within the Astronomer platform.
The following Astronomer Enterprise patch versions were published on December 11 to address this vulnerability:
We advise all customers to upgrade to the latest patch version of their running minor version at their convenience. For instructions, read “Upgrade to an Astronomer Patch Version”.
Customers who have explicitly set
ES_JAVA_OPTS in their Astronomer
config.yaml file must additionally set the flag
Dlog4j2.formatMsgNoLookups=true prior to upgrading to the latest Enterprise patch version.
Your configuration should look something like this:
elasticsearch: common: env: ES_JAVA_OPTS: "-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true"
To make this change, follow
helm upgrade instructions in “Apply a Platform Configuration Change on Astronomer”.
To confirm that your change was successful, run:
kubectl -n "<namespace>" exec "statefulset/<helm_release_name>-elasticsearch-master" -c es-master -- printenv ES_JAVA_OPTS
You should see:
-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true
If you have any questions or have trouble with this, reach out to Astronomer Support. We take security vulnerabilities very seriously and are here to help.
Astronomer has patched Astronomer Cloud to address CVE-2021-44228. No action is required.