AWS has developed an RPM that performs a JVM-level hot-patch which disables JNDI lookups from the Log4j2 library, mitigating Log4j2 CVE-2021-44228 and CVE-2021-45046.
The Apache Log4j2 CVE-2021-44228 node agent is an open source project built by the Kubernetes team at AWS. It is designed to run as a DaemonSet and mitigate the impact of Log4j2 CVE-2021-44228, which affects applications running Apache Log4j2 versions < 2.15.0 when processing inputs from untrusted sources. Running this DeamonSet will patch JVMs running in containers as well as on the host.
What it does: A cron entry will be installed on every worker node that runs a process looking for running JVMs and injects an agent which mitigates the Log4J2 CVE. All JVMs, including those running in containers will be hot-patched in this way. Currently, the hot-patch process is configured to run every 30min with a 15min jitter. The effective window can range from 15 to 45min between runs.
Note: You can find additional information about the Log4j2 vulnerability and AWS response in the AWS Security Bulletin.
- Apply the manifest:
kubectl apply -f https://raw.githubusercontent.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent/main/daemonset.yaml
- Check the logs for one or more of your DaemonSet pods.
Spot check a single pod:
kubectl get pods -l job=node-patch-installer -n node-configuration-daemonset
kubectl logs <pod-name> -c node-patch-installer -n node-configuration-daemonset
or get confirmation for every node:
kubectl logs -l job=node-patch-installer -c node-patch-installer -n node-configuration-daemonset | grep 'installed'
If the installation was successful, the last line in the log file will read installed and verified
otherwise an error will be logged.
- This project is meant to act as a temporary, best effort mitigation until you can update the Log4j2 dependency in all of your Java based Kubernetes applications to at least Log4j version 2.15.0. Do not rely on this agent as a long-term mitigation. This tool may help you mitigate the risk when updating dependencies is not immediately possible.
- The DaemonSet is only supported on Amazon Linux (AL) and Amazon Linux 2 (AL2) based worker nodes. Bottlerocket is not supported.
- Because DaemonSets do not run on AWS Fargate, any pods running on Fargate in Amazon EKS clusters will not be patched by this agent.
- With the default runtime frequency of 30 mins, the agent is better suited for long-running containers.
- The RPM only works with the following Java distributions:
- Credo
- Corretto
- OpenJDK
- If your worker nodes are in a sanboxed environment with no Internet connectivity, you can pull the image from ECR and push it to a private registry. Alternatively, you can modify the makefile in the image directory to build and push the resulting image to your private registry. Edit the DaemonSet spec.template.spec.initContainers.image in the
daemonset.yaml
file to reflect the new URI:tag of the image, then apply the manifest to your cluster.
Apache Log4j2 < 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4j2 versions < 2.15.0, this behavior has been disabled by default. Full details can be found in the CVE bulletin.
You can find additional information about the Log4j2 vulnerability in the AWS Security Bulletin.
AWS has developed an RPM that performs a JVM-level hotpatch disabling JNDI lookups from the Log4j2 library, mitigating the Log4j2 issue for that applies to JVMs on the host as well as JVMs running in containers. This project packages up the RPM as a Kubernetes DaemonSet.
When installed, a process will run on every worker node that looks for running JVMs and injects an agent into the JVM to mitigate the Log4j2 vulnerability. The agent attempts to patch the lookup()
method of all loaded org.apache.logging.log4j.core.lookup.JndiLookup
instances to unconditionally return the string Patched JndiLookup::lookup()
. This is designed to address the CVE-2021-44228 remote code execution vulnerability in Log4j2 without restarting the Java process.
This process by default is configured to run every 30 mins, and will add a layer of protection in clusters where applications have yet to be patched with an updated Log4j2 dependency.
You can find more details on the hotpatch in the AWS open source blog.
The container image is hosted in the aws-containers ECR Public repository.