Patch for Log4j CVE-2021-44228
Introduction
TigerGraph is aware of the recently disclosed security vulnerability relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). Additionally, TigerGraph is aware of a vulnerability affecting Apache Log4j v1 (CVE-2021-4104)
TigerGraph has created a patch to address both of these issues.
The provided patch will update the GSQL Server and Client to use Log4j 2.17.0 and remove the JMSAppender.class from the Apache Kafka and Apache ZooKeeper package included in TigerGraph. This resolution is described here: Apache Kafka https://kafka.apache.org/cve-list
Below we list TigerGraph (TG) components that are using Log4j or Log4j2 and the process to apply the patch.
TG 2.5.y and TG 2.6.y
GSQL Server - Apache Log4j 1.2.17 GSQL Client - Not affected (doesn’t use log4j)
TG 3.x.y GSQL Server - Apache Log4j 1.2.17 GSQL Client Apache Log4j 2.13.3 (>= TG 3.1.0) Apache Log4j 2.13.1 (< TG 3.1.0)
TG 2.x Kafka 0.10.2.1 (kafka_2.10-0.10.2.1.tar.gz) - log4j 1.2.17 ZooKeeper 3.4.6 (zookeeper-3.4.6.tar.gz) - log4j 1.2.16
TG 3.0.x Kafka 2.3.0 (kafka_2.12-2.3.0.tar.gz) - log4j 1.2.17 ZooKeeper 3.5.8 (zookeeper-3.5.8).tar.gz - log4j 1.2.17
TG 3.1.x - 3.5.x Kafka 2.5.1 (kafka_2.12-2.5.1.tar.gz) - log4j 1.2.17 ZooKeeper 3.6.3 (zookeeper-3.6.3).tar.gz - log4j 1.2.17
Please note that the builds of Apache Kafka and Apache Zookeeper offered in TG currently use log4j 1.2.17 or 1.2.16, which is not affected by CVE-2021-44228. As Apache Kafka and Apache ZooKeeper are updated to use Log4j version 2.16.0 or greater, TigerGraph will work to incorporate these updates.Instructions
1.Check your TigerGraph version:
gadmin version2.If your TigerGraph version is not one of the following versions, please upgrade TigerGraph to one of them by following the upgrade documentation(https://docs.tigergraph.com/tigergraph-server/3.2/installation/upgrade) before proceeding to step 3. 3.x: 3.0.5 3.0.6 3.1.1 3.1.5 3.1.6 3.2.0 3.2.1 3.2.2 3.3.0 2.x: 2.5.2 2.5.3 2.5.4 2.6.6 Note that you can download the above TigerGraph enterprise installation package from https://dl.tigergraph.com/enterprise-edition/tigergraph-3.x.y-offline.tar.gzhttps://dl.tigergraph.com/enterprise-edition/tigergraph-2.x.y-offline.tar.gz
3.Download the security patch for TigerGraph for TigerGraph v3 or v2 from the link below. Note: DO NOT change the x/y in the url. 3.x:https://dl.tigergraph.com/patch/log4j/log4j-fix-3.x.y.tgz 2.x:https://dl.tigergraph.com/patch/log4j/log4j-fix-2.x.y.tgz
4.Untar it and run the included run.sh script on the TigerGraph cluster machine
Note: As part of running the script, the Kafka, ZooKeeper, and GSQL services must be restarted. This means the cluster will be temporarily unavailable. The patch application process should only take a few minutes.
Note: All loading jobs should be aborted prior to running the patch
3.x:
tar -zxvf log4j-fix-3.x.y.tgz
cd log4j-fix-3.x.y
./run.sh2.x:
tar -zxvf log4j-fix-2.x.y.tgz
cd log4j-fix-2.x.y
./run.shOffline Patching
To run the patch offline you will have to download the files on a separate server and transfer them to the server that needs to be patched.
The GSQL jar files must be moved into the gsql-jars directory in the directory that is untarred. The log4j jar will need to be in the same directory as run.sh
So it will look like this:
log4j-fix-3.x.y
├── gsql-jars
│ ├── gsql-3.1.6.jar
│ └── gsql_client-3.1.6.jar
├── log4j-1.2.17.jar
├── replace_gsql_jars.sh
├── replace_zk_kafka_log4j_jar.sh
└── run.shYou can download the gsql jar for your version here: https://dl.tigergraph.com/patch/log4j/${TG_VERSION}/gsql-${TG_VERSION}.jar
The gsql client JAR for your version here: https://dl.tigergraph.com/patch/log4j/${TG_VERSION}/gsql_client-${TG_VERSION}.jar
The log4j jar here: https://dl.tigergraph.com/patch/log4j/log4j-1.2.17.jar
The following files will need to be edited for offline patching replace_gsql_jars.sh replace_gsql_jars.sh
The below sed commands will comment out the lines used for online patching
sed -i -e '23s/^/# /' -e '26,27s/^/# /' replace_gsql_jars.sh
sed -i -e '15s/^/# /' -e '17s/^/# /' replace_zk_kafka_log4j_jar.shOr you may comment them out manually. source,bash] Comment out lines 23, 26 and 27 in replace_gsql_jars.sh 23 #rm -rf gsql-jars/* 26 #curl --fail -k -LO https://dl.tigergraph.com/patch/log4j/${TG_VERSION}/gsql-${TG_VERSION}.jar 27 #curl --fail -k -LO https://dl.tigergraph.com/patch/log4j/${TG_VERSION}/gsql_client-${TG_VERSION}.jar Comment out line 15 and 17 in replace_zk_kafka_log4j_jar.sh 15 #rm -rf log4j-1.2.17.jar 17 #curl --fail -k -LO https://dl.tigergraph.com/patch/log4j/log4j-1.2.17.jar
Once the files have been edited you may now the ./run.sh file
K8S TG image patch
●For our official public docker registry user, the latest version k8s docker image has already been patched. The k8s deployment file is still working, only suggest using below image directly:docker.tigergraph.com/tigergraph-k8s:latest
●For private k8s docker registry user, please refer to the dockerfile as below link: https://github.com/tigergraph/ecosys/blob/k8s_log4j_patch/k8s/Dockerfile
Validating the Patch
To validate GSQL client:
mkdir validate_gsql_client
cd validate_gsql_client
jar xf <TG_APP_ROOT>/dev/gdk/gsql/lib/gsql_client.jar
cat META-INF/maven/org.apache.logging.log4j/log4j-core/pom.propertiesTo validate GSQL server:
mkdir validate_gsql\
cd validate_gsql
jar xf <TG_APP_ROOT>/dev/gdk/gsql/lib/.tg_dbs_gsqld.jar
cat META-INF/maven/org.apache.logging.log4j/log4j-core/pom.propertiesBoth outputs (GSQL client and server) should be:
#Created by Apache Maven 3.8.4
version=2.17.0
groupId=org.apache.logging.log4j
artifactId=logTo validate Kafka:
mkdir validate_kafka
cd validate_kafka
jar xf <TG_APP_ROOT>/kafka/libs/log4j-1.2.17.jar
find . -name JMSAppender.classThere should be no output
To validate Zookeeper:
mkdir validate_zk
cd validate_zk
jar xf <TG_APP_ROOT>/zk/libs/log4j-1.2.17.jar
find . -name JMSAppender.classIf you have any questions or require assistance, please contact TigerGraph Support by opening a ticket at http://tigergraph.zendesk.com or emailing support@tigergraph.zendesk.com
We’re here to help!