On this page

Prerequisites
Installing the Patch on Existing Cluster Nodes
Installing the Patch on New Nodes
Uninstalling the Patch
(Optional) Upgrading the ECS Password Reset Plug-in
List of Affected Components

Show all

Help Center/ MapReduce Service/ Product Bulletin/ Vulnerability Notice/ Guide for Fixing the Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228)

Guide for Fixing the Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228)

Updated on 2024-09-06 GMT+08:00

View PDF

This section describes how to fix the Apache log4j2 vulnerability CVE-2021-44228. Currently, you can use either of the following methods to fix the vulnerability:

Installing the Patch on Existing Cluster Nodes
Installing the Patch on New Nodes

Prerequisites

You have downloaded the patch tool package MRS_Log4j_Patch.tar.gz from the OBS path.
You have determined the active OMS node in the cluster.
NOTE:

Generally, OMS is deployed on two nodes, master1 and master2. You can use the following commands to determine the active OMS node. The node whose command output contains active is the active OMS node, and the node whose command output contains standby is the standby OMS node.

For clusters whose version is earlier than MRS 3.x, use the following command:

sh /opt/Bigdata/*/workspace0/ha/module/hacom/script/get_harole.sh

For clusters whose version is later than MRS 3.x, use the following command:

sh /opt/Bigdata/om-server*/OMS/workspace0/ha/module/hacom/script/get_harole.sh

Installing the Patch on Existing Cluster Nodes

Upload MRS_Log4j_Patch.tar.gz to the /home/omm directory on the active OMS node. For details, see How Do I Upload a Local File to a Node Inside a Cluster?.
Run the following commands to log in to the active OMS node as user root, modify the permission of the patch tool, switch to user omm, and decompress the patch tool package to the current directory:

chown omm:wheel -R /home/omm/MRS_Log4j_Patch.tar.gz

su - omm

cd /home/omm

tar -zxf MRS_Log4j_Patch.tar.gz
In the /home/omm/MRS_Log4j_Patch/bin/ips.ini file, configure the IP addresses (IP addresses of all nodes in the current cluster) of the nodes where the patch is to be installed.

NOTE:

Configure one IP address in each line. No empty line is allowed.
Run the following scripts to install the patch:

cd /home/omm/MRS_Log4j_Patch/bin

nohup sh install.sh upgrade &

Run the tail -f nohup.out command to check the execution status. If "upgrade patch success." is displayed, the execution is complete.
Log in to Manager, restart the affected components (you are advised to perform this operation during off-peak hours). For details, see List of Affected Components.
(Optional) If you want to install the patch for the newly downloaded client, run the following commands to install the patch for the component package first:

su - omm

cd /home/omm/MRS_Log4j_Patch/bin

nohup sh install.sh upgrade_package &

Run the tail -f nohup.out command to check the execution status. If "upgrade_package patch success." is displayed, the execution is complete.

After the execution is complete, the client downloaded is the one with the patch installed.
CAUTION:
- This step takes a long time, and you do not need to restart the component after performing this step.
- After the patch is installed, do not delete the files related to the patch directory. Otherwise, the patch cannot be uninstalled.

Installing the Patch on New Nodes

Disable Enable Component during the scale-out.
Upload MRS_Log4j_Patch.tar.gz to the /home/omm directory on the active OMS node. For details, see How Do I Upload a Local File to a Node Inside a Cluster?.
Run the following commands to log in to the active OMS node as user root, modify the permission of the patch tool, switch to user omm, and decompress the patch tool package to the current directory:

chown omm:wheel -R /home/omm/MRS_Log4j_Patch.tar.gz

su - omm

cd /home/omm

tar -zxf MRS_Log4j_Patch.tar.gz
In the /home/omm/MRS_Log4j_Patch/bin/ips.ini file, configure the IP addresses (IP addresses of the new nodes in the current cluster) of the nodes where the patch is to be installed.

NOTE:

Configure one IP address in each line. No empty line is allowed.
Run the following scripts to install the patch:

cd /home/omm/MRS_Log4j_Patch/bin

nohup sh install.sh upgrade &

Run the tail -f nohup.out command to check the execution status. If "upgrade patch success." is displayed, the execution is complete.
Log in to Manager and start instances on the new node.

Uninstalling the Patch

Log in to the active OMS node as user root and run the following commands to uninstall the patch:

su - omm

cd /home/omm/MRS_Log4j_Patch/bin

nohup sh install.sh rollback &

Run the tail -f nohup.out command to check the execution status. If "rollback patch success." is displayed, the execution is complete.
Log in to Manager, restart the affected components (you are advised to perform this operation during off-peak hours). For details, see List of Affected Components.
Perform the following operation if you have performed 6 in Installing the Patch on Existing Cluster Nodes during patch installation and you want to roll back the modification in the component package:

Log in to the active OMS node as user root and run the following commands:

su - omm

cd /home/omm/MRS_Log4j_Patch/bin

nohup sh install.sh rollback_package &

Run the tail -f nohup.out command to check the execution status. If "rollback_package patch success." is displayed, the execution is complete.

(Optional) Upgrading the ECS Password Reset Plug-in

Huawei Cloud ECS provides the one-click password reset function. If the password of an ECS is lost or expires, you can use this function to reset the password with a few clicks. The password reset plug-in is a client process running in the ECS and does not provide any external network services. The password reset plug-in CloudResetPwdUpdateAgent uses the Apache Log4j2 component. According to the analysis and verification of Huawei Cloud security lab, the ECS password reset plug-in has no security risks.

To upgrade the Log4j2 version of this plug-in, perform the following steps:

Upload MRS_Log4j_Patch.tar.gz to the /home/omm directory on the active OMS node. For details, see How Do I Upload a Local File to a Node Inside a Cluster?.
Run the following commands to log in to the active OMS node as user root, modify the permission of the patch tool, switch to user omm, and decompress the patch tool package to the current directory:

chown omm:wheel -R /home/omm/MRS_Log4j_Patch.tar.gz

su - omm

cd /home/omm

tar -zxf MRS_Log4j_Patch.tar.gz
In the /home/omm/MRS_Log4j_Patch/bin/ips.ini file, configure the IP addresses (IP addresses of all nodes in the current cluster) of the nodes where the patch is to be installed.

NOTE:

Configure one IP address in each line. No empty line is allowed.
Perform the following steps based on the node login mode:
- Password login
  Run the following command:
  
  nohup sh install.sh upgrade_resetpwdagent passwd:Login password &
  
  For example, if the password is xyz123, run the following command:
  
  nohup sh install.sh upgrade_resetpwdagent passwd:xyz123 &
  
  Run the tail -f nohup.out command to check the execution status. If "upgrade_resetpwdagent patch success." is displayed, the execution is complete.
- Key login
  1. Upload the private key file of user root to the /home/omm/MRS_Log4j_Patch/bin directory and ensure that the owner group of the file is root:root. Then, run the following commands:
    chown root:root /home/omm/MRS_Log4j_Patch/bin/Key file
    
    chmod 644 /home/omm/MRS_Log4j_Patch/bin/Key file
  2. Run the following commands:
    su - omm
    
    cd /home/omm/MRS_Log4j_Patch/bin
    
    nohup sh install.sh upgrade_resetpwdagent privatekey:Path of the private key file &
    
    For example, if the private key file path is /home/omm/MRS_Log4j_Patch/bin/abc.pem, run the following command:
    
    nohup sh install.sh upgrade_resetpwdagent privatekey:/home/omm/MRS_Log4j_Patch/bin/abc.pem &
    
    Run the tail -f nohup.out command to check the execution status. If "upgrade_resetpwdagent patch success." is displayed, the execution is complete.

List of Affected Components

MRS Cluster Version	Affected Component
MRS 3.1.1	Hive, Oozie, Flink, Ranger, and Tez
MRS 3.1.0	Hive, Flink, Spark, Tez, Impala, Ranger, Presto, and Oozie
MRS 3.0.5	Hive, Flink, Spark, Tez, Impala, Ranger, Presto, Oozie, Storm, and Loader
MRS 3.0.2	Hive, Flink, Spark, Tez, Ranger, Oozie, Storm, and Loader
MRS 2.1.1	Hive, Tez, Storm, Loader, Impala, and Presto
MRS 2.1.0	Loader, Hive, Storm, Presto, Impala, Tez, Spark, and HBase
MRS 1.9.3	Loader, Hive, Tez, Spark, and Flink
MRS 1.9.2	Loader, Hive, Tez, Spark, Flink, and Impala
MRS 1.9.0	Loader, Hive, Spark, and Flink
MRS 1.8.10	Loader and Storm
MRS 1.7.1	Loader and Storm

Parent topic: Vulnerability Notice

Previous topic: Vulnerability Notice

Next topic: MRS Fastjson Vulnerability Remediation Guide

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot