This repo contains scripts and helper tools to mitigate the critical log4j vulnerability CVE-2021-44228 for Cloudera products affecting all versions of log4j between 2.0 and 2.14.1.
Please read the technical service bulletin found here for an analysis of which products have been affected, and find the mitigations in the actions required section for the TSB.
If you are using “CDH, HDP, and HDF” or “CDP Private Cloud”, refer to Resolution for TSB-545 - Private Cloud Version
If you are using “CDP Public Cloud”, refer to Resolution for TSB-545 - Public Cloud Version
run_log4j_patcher.sh scans a directory for jar files and removes JndiLookup.class from the ones it finds. Do not run any other scripts in this directory--they will be called by run_log4j_patcher.sh automatically.
- Run the script as root on ALL nodes of your cluster.
- Script will take 1 mandatory argument (cdh|cdp|hdp)
- (For CDH and CDP only) The script takes 2 optional arguments: a base directory to scan in, and a backup directory. The default for both are /opt/cloudera and /opt/cloudera/log4shell-backup, respectively. These defaults work for CM/CDH 6 and CDP 7. A different set of directories will be used for HDP.
- Ensure that the last line of the script output indicates ‘Finished’ to verify that the job has completed successfully. The script will fail if a command exits unsuccessfully.
- Restart Cloudera Manager Server or Ambari, all clusters, and all running jobs and queries.
Usage: run_log4j_patcher.sh (subcommand) [options]
Subcommands:
help Prints this message
cdh Scan a CDH cluster node
cdp Scan a CDP cluster node
hdp Scan a HDP cluster node
hdf Scan a HDF cluster node
Options:
-t <targetdir> Override target directory (default: distro-specific)
-b <backupdir> Override backup directory (default: /opt/cloudera/log4shell-backup)
-p <dell|ibm|common> Override platform type (default: common)
Environment Variables:
SKIP_JAR If non-empty, skips scanning and patching .jar files
SKIP_TGZ If non-empty, skips scanning and patching .tar.gz files (cdh and cdp only)
SKIP_HDFS If non-empty, skips scanning and patching .tar.gz files in HDFS
RUN_SCAN If non-empty, runs a final scan for missed vulnerable files. This can take several hours.
TMPDIR If non-empty, uses /tmp as the temporary directory. Set a different temporary directory using this.
LOG4J_VERSION If non-empty, runs scan or removal of vulnerable classes from specific log4j version. For eg: "LOG4J_VERSION=1.x"
EXIT_ON_FAIL If non-empty, exit with non-zero error code if any vulnerabilities were found. Script will return zero, if there are no vulnerabilities.
Example :
- Run scan without patching jar, tar, and HDFS.
SKIP_JAR=1 SKIP_TGZ=1 SKIP_HDFS=1 RUN_SCAN=1 ./run_log4j_patcher.sh [cdp|cdh|hdp|hdf]
- Run scan after patching jar, tar, and HDFS.
RUN_SCAN=1 ./run_log4j_patcher.sh [cdp|cdh|hdp|hdf]
- Run script on an IBM SpectrumScale
./run_log4j_patcher.sh [cdp|cdh|hdp|hdf] -p ibm
NOTE: For IBM Power PC with HDFS clusters, '-p ibm' option is NOT required. Default platform will be picked for such deployments.
- Run script on an DELL PowerScale/ISILON
./run_log4j_patcher.sh [cdp|cdh|hdp|hdf] -p dell
NOTE: HDFS keytab is mandatory to run the script for DELL Secure clusters. Script expects HDFS headless keytab in '/etc/security/keytabs/hdfs.headless.keytab' path.
- Run scan without patching jar, tar, and HDFS for log4j1.
LOG4J_VERSION=1.x SKIP_JAR=1 SKIP_TGZ=1 SKIP_HDFS=1 RUN_SCAN=1 ./run_log4j_patcher.sh [cdp|cdh|hdp|hdf]
- Run lo4j vulnarable class removal script for log4j1
LOG4J_VERSION=1.x ./run_log4j_patcher.sh [cdp|cdh|hdp|hdf]
HDP Notes : Currently the HDP removal scrips works on folder /user/ on HDFS. Please modify/extent in The hdp_log4j_jndi_removal.sh around line 57.