Lucene search

K
ibmIBM2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8
HistoryDec 17, 2021 - 6:24 p.m.

Security Bulletin: Vulnerability in Apache Log4j affects the components (Elastic Search and Hadoop) of IBM Financial Crimes Insight for Claims Fraud

2021-12-1718:24:11
www.ibm.com
16

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

99.9%

Summary

There is a vulnerability in the Apache Log4j open source library used by IBM Financial Crimes Insight for Claims Fraud for generating logs in some of its components. This bulletin provides mitigations for the Log4Shell vulnerability (CVE-2021-44228) by applying the applicable workaround steps to IBM Financial Crimes Insight for Claims Fraud.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
Financial Crimes Insights Platform All
CFM - Banking, Healthcare, Insurance, Government All

Remediation/Fixes

The recommended solution is to apply the fix for Elastic Search and Hadoop as in steps below as soon as possible.

Steps for Elastic Search:

To fix the log4j vulnerability in Elastic Search for IBM Financial Crimes Insight for Claims Fraud, complete the following steps:

  1. Log into OpenShift cluster using oc login from Ambari server.

  2. Ensure all Elastic Search pods are healthy and Running.

    oc get po | grep fci-elasticsearch

  3. Set the JVM property to apply log4j fix. To set, complete the following commands.

    oc patch sts fci-elasticsearch-master -p ‘{“spec”:{“template”:{“spec”:{“containers”:[{“name”:“elasticsearch”,“env”:[{“name”:“ES_JAVA_OPTS”,“value”:“-Dlog4j2.formatMsgNoLookups=true”}]}]}}}}’
    oc patch sts fci-elasticsearch-data -p ‘{“spec”:{“template”:{“spec”:{“containers”:[{“name”:“elasticsearch”,“env”:[{“name”:“ES_JAVA_OPTS”,“value”:“-Dlog4j2.formatMsgNoLookups=true”}]}]}}}}’
    oc patch sts fci-elasticsearch-client -p ‘{“spec”:{“template”:{“spec”:{“containers”:[{“name”:“elasticsearch”,“env”:[{“name”:“ES_JAVA_OPTS”,“value”:“-Dlog4j2.formatMsgNoLookups=true”}]}]}}}}’

The Elastic Search pods are restarted automatically after the commands are executed.

  1. Ensure all Elastic search pods are restarted.

    oc get po | grep fci-elasticsearch

  2. Verify if the log4j fix is applied successfully. The JVM process starts with a new JVM argument -Dlog4j2.formatMsgNoLookups=true.

    oc exec fci-elasticsearch-data-0 – ps aux
    oc exec fci-elasticsearch-master-0 – ps aux

Steps for Hadoop:

To fix the log4j vulnerability in Hadoop for IBM Financial Crimes Insight for Claims Fraud, complete the following steps:

  1. Download the cloudera-scripts-for-log4j-main.zip file.

  2. Copy it to all the Hadoop nodes.

  3. Do the following steps for every Hadoop nodes:
    1. Copy the cloudera-scripts-for-log4j-main.zip file to the /root/.
    2. Run the below commands to extract the .zip file:

           cd /root
    

    unzip cloudera-scripts-for-log4j-main.zip

3. Run the below command and note down the folder names, such as `/usr`, `/fcigraph`, `/grid`, etc. 
    
            find / -name log4j*.jar > list_of_impacted_jars.txt

4. Create a backup folder with the below command. 
    
            mkdir /log4j_backup

5. Run the following command for each folder to apply the fix: 
    
            ./run_log4j_patcher.sh hdp -t /usr/ -b /log4j_backup > patch.log 2>&1 &

Note: In the above command, replace /usr/ with the folder names that are found, such as /fcigraph/, /grid/, etc.

This process may take 10 to 15 minutes.

  1. Run the following commans to verify:

    cd /log4j_backup
    find . -name *.backup

Note: This lists all the impacted .jar files that are patched, and the list matches the list_of_impacted_jars.txt.

  1. Restart the impacted services from Ambari console (hive and oozie).

Workarounds and Mitigations

None

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

99.9%