Alibaba Cloud recently discovered a remote code execution (RCE) vulnerability in Apache Log4j2 and reported the vulnerability to Apache. This topic describes the impacts of the vulnerability and provides security suggestions for customers and cloud services.

Impacts

Fully managed Flink jobs are isolated between users from each other because the fully managed Flink service of each user runs in an isolated environment. In most cases, this vulnerability cannot be exploited by external attackers. Before you run a fully managed Flink job, you must check the whitelist for accessing external resources, especially the connections between your job and external Java Naming and Directory Interface (JNDI) resources, such as Lightweight Directory Access Protocol (LDAP) and remote method invocation (RMI) resources. If your fully managed Flink job has permissions to access the external JNDI resources, attackers may exploit this vulnerability to access these resources. This may pose system security risks.

Security suggestions

  • Temporary solution for customers
    1. In the left-side navigation pane of the console of fully managed Flink, choose Administration > Deployment Defaults. On the Deployment Defaults page, add the following Java Virtual Machine (JVM) configuration to the Additional Configuration section.
      env.java.opts: '-Dlog4j2.formatMsgNoLookups=true'
      This way, the lookup feature of Log4j 2 is disabled, and the security risks that are caused by this feature are prevented. The following figure shows the configuration. Additional Configuration
      Note After you add the configuration on the Deployment Defaults page, the configuration takes effect for all the jobs that you create later. For a fully managed Flink job that is running, you can find the job on the Draft Editor page, click Advanced on the right side of the page, and then add env.java.opts: '-Dlog4j2.formatMsgNoLookups=true' to the Additional Configuration section.
    2. Check the log configuration and modify the configuration based on your business requirements.
      1. Find PatternLayout in the log configuration and replace the context lookup mode such as ${ctx:loginId} or $${ctx:loginId} with the Thread Context Map mode, such as %X, %mdc, or %MDC.
      2. Remove the context lookup mode such as ${ctx:loginId or $${ctx:loginId} from the log configuration. In context lookup mode, malicious data can be injected and parsed by Log4j.
    3. Restart the job to allow the modification to take effect.
  • Solution for the fully managed Flink service
    • Ververica Runtime (VVR) 1.X: Log4j 2 is not used in this version. Therefore, this version is not affected by the vulnerability. However, technical support for VVR 1.X is no longer provided. We recommend that you update VVR 1.X to the latest version to enjoy more powerful features and service protection.
    • VVR 2.X, VVR 3.X, and VVR 4.X: A version was released on December 31, 2021 to fix this vulnerability. Pay attention to the release announcement and update your job to the latest version at the earliest opportunity to prevent security risks.
      Note Major versions may not be compatible with each other. To ensure version compatibility before and after the update, update the version of your job to the latest minor version in the current major version of the job. If you have any questions, submit a ticket.

References