Vertica Potential Security Vulnerability Apache log4j CVE-2021-45046
SUPPORT COMMUNICATION - SECURITY BULLETIN
Potential Security Impact: remote code execution
A potential vulnerability has been identified: Apache log4j library used by Vertica Server.
The vulnerability could be exploited to allow remote code execution.
CVE References: CVE-2021-45046 replaces CVE-2021-44228
SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
Vertica Server – all versions
CVSS Version 3.1 Metrics:
Reference V3.1 Vector V3.1 Base Score
CVE-2021-45046 N/A N/A
CVE-2021-44228 N/A N/A
You can either apply the patch or perform the workaround. The workaround will work for all Vertica Versions.
Two components in the Vertica product contain a vulnerable version of the log4j library: the Management Console (MC) and the Kafka scheduler. In upcoming patches, both components will be modified to use either log4j 2.16.0 (for Java8 programs) or log4j 2.12.2 (for Java7 programs) as recommended by Apache. All Vertica versions currently under Committed Support (10.0, 10.1, and 11.0) will be patched as well as selected unsupported Vertica versions (9.2 and 9.3). To mitigate the problem while hotfixes become available use the workaround below.
As part of a comprehensive patch, customers using HCatalog features are advised to update the log4j version on their Hadoop cluster and re-execute the hcatUtil utility as detailed in the workaround below.
The workaround can be applied in situations when upgrading to the patched version is impossible or in the interim period waiting for the patch. The workaround involves individually addressing each of the instances of the vulnerable versions of the log4j library by removing the JndiLookup.class file from the log4j-core-*.jar file as recommended by Apache. These steps are universal across Vertica versions.
- On every database server node, update the Kafka scheduler .jar to remove the vulnerable class.
This file used by the server's kafka scheduler was added in Vertica 7.2. If customers are on 7.1 or earlier this file will not exist and there is no action needed. Customers on 7.2 and later should run the zip command below. This step is performed as the Vertica dbadmin Linux user.
zip -q -d /opt/vertica/packages/kafka/lib/log4j-core*.jar \ org/apache/logging/log4j/core/lookup/JndiLookup.class
- On the MC node, there is a copy of the Kafka scheduler used by the Management Console. Update this as well to remove the vulnerable class.
The jar file included in the MC was added in Vertica 8.0. If customers are using MC on 7.2 or earlier this file will not exist and there is no action needed. Customers on 8.0 MC and later should run the zip command below. This step is performed as the MC Linux admin user.
zip -q -d /opt/vconsole/vendor/vertica/kafka/lib/log4j-core*.jar \ org/apache/logging/log4j/core/lookup/JndiLookup.class
- On the MC node, there is also a copy of log4j bundled in the webui.war file. This is extracted at runtime to supply the web assets. The webui.war file should be updated to remove the vulnerable class, then the temp directory should be purged and the MC restarted so that the new assets are extracted and used.
This is applicable for MC versions 9.3 and later. MC version 9.2 and earlier uses version 1.x of the log4j library which is not vulnerable. There will still be a webui.war file on all versions of the MC, but edits are only needed for 9.3 and later. This step is performed as the MC Linux admin user.
mkdir /tmp/war cd /tmp/war cp /opt/vconsole/lib/webui.war . unzip -o webui.war zip -q -d WEB-INF/lib/log4j-core*.jar \ org/apache/logging/log4j/core/lookup/JndiLookup.class zip -r -u webui.war WEB-INF sudo /etc/init.d/vertica-consoled stop cp webui.war /opt/vconsole/lib/webui.war rm -rf /opt/vconsole/temp/* sudo /etc/init.d/vertica-consoled start
On every database node, check for the existence of log4j in the /opt/vertica/packages/hcat/lib/ directory. These are imported libraries downloaded from a connected Hadoop cluster. Update the libraries on that Hadoop cluster and then follow the Vertica documentation for “Configuring Vertica for HCatalog” to re-configure Vertica with the new log4j library. This will involve running the /opt/vertica/packages/hcat/tools/hcatUtil and recompiling the HCatalog connector.
On cloud images published by Vertica, a file /var/opt/vconsole/MCClient.jar exists that is used to initially configure the MC. This file contains a vulnerable version of log4j but is not necessary once the cloud instance has already been launched. This file should be deleted if it exists.
Vertica Accelerator (Vertica as a Service)
Vertica Accelerator is not impacted by this vulnerability.