A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
For Log4j versions >=2.10
set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
For Log4j versions >=2.7 and <=2.14.1
all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m
For Log4j versions >=2.0-beta9 and <=2.10.0
remove the JndiLookup class from the classpath. For example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: <https://access.redhat.com/solutions/6578421>
On OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: <https://access.redhat.com/solutions/6578441>