The log4j security team has released a new version of log4j 2.16.0 which addresses CVE-2021-45046 https://logging.apache.org/log4j/2.x/security.html
This new vulnerability is classified as moderate and therefore usually does not warrant an emergency maintenance or release of Lagoon images. Based on the recent release of a highly critical release of log4j just a couple of days ago, the amazee.io security team decided to review and publish information about CVE-2021-45046.
Additionally the log4j security team announced that previous mitigations against CVE-2021-44228 via the system property `log4j2.formatMsgNoLookups` are not anymore considered mitigations against the vulnerability in CVE-2021-44228. This system property has been used by amazee.io for an infrastructure wide mitigation and is still in place, it will protect in most situations but there are specific cases where it's still possible that the vulnerability could be triggered. Therefore we require our customers to upgrade to versions of Lagoon Base Images (currently only Solr) that include a patch for CVE-2021-44228 and CVE-2021-45046.
Lagoon Base Images:
- Solr 7 and 8: We believe that Solr 7 and 8 are possibly vulnerable to CVE-2021-45046. There is no mitigation from an infrastructure point of view possible. We are waiting for the Solr community to release new versions of Solr 7 and 8 which include log4j 2.16.0 and will release new versions of Lagoon Base Images as soon as these new Solr Versions become available. You can follow along this process here https://github.com/uselagoon/lagoon-images/issues/364
- Solr 6: There is no mitigation required as it does not use log4j version 2
- Elasticsearch 6 and 7: There is currently no information that they are vulnerable to CVE-2021-45046, especially as they are completely protected from CVE-2021-44228 in the first place, see https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Lagoon Logging Infrastructure:
- Our Logging Infrastructure is based on Elasticsearch 7 which is currently considered not vulnerable to CVE-2021-45046
We are continuing monitoring the development of this log4j vulnerability and will update this page accordingly if new information should be released.