The Vulnerability
On December 10, a severe security vulnerability was identified in CVE-2021-44228 and has impacted a variety of internet services.
Astronomer Impact
While this vulnerability affects Astronomer Enterprise and Astronomer Cloud given the use of Elasticsearch in our stack, we have no knowledge of any active exploits against the Astronomer Platform or the particular sub-component that integrates Log4j2.
At the time of writing (Dec 11, 10am EST), Astronomer is not aware of any mechanism to exploit CVE-2021-44228 within the Astronomer platform.
Astronomer Enterprise Mitigation
The following Astronomer Enterprise patch versions were published on December 11 to address this vulnerability:
0.26.5
0.25.12
0.23.18
0.16.19
We advise all customers to upgrade to the latest patch version of their running minor version at their convenience. For instructions, read “Upgrade to an Astronomer Patch Version”.
Additional Requirement if ES_JAVA_OPTS
is Set
Customers who have explicitly set ES_JAVA_OPTS
in their Astronomer config.yaml
file must additionally set the flag Dlog4j2.formatMsgNoLookups=true
prior to upgrading to the latest Enterprise patch version.
Your configuration should look something like this:
elasticsearch:
common:
env:
ES_JAVA_OPTS: "-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true"
To make this change, follow helm upgrade
instructions in “Apply a Platform Configuration Change on Astronomer”.
To confirm that your change was successful, run:
kubectl -n "<namespace>" exec "statefulset/<helm_release_name>-elasticsearch-master" -c es-master -- printenv ES_JAVA_OPTS
You should see:
-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true
If you have any questions or have trouble with this, reach out to Astronomer Support. We take security vulnerabilities very seriously and are here to help.
Astronomer Cloud Mitigation
Astronomer has patched Astronomer Cloud to address CVE-2021-44228. No action is required.