cloudera-scripts-for-log4j

This repo contains scripts and helper tools to mitigate the critical log4j vulnerability CVE-2021-44228 for Cloudera products affecting all versions of log4j between 2.0 and 2.14.1.

Please read the technical service bulletin found here for an analysis of which products have been affected, and find the mitigations in the actions required section for the TSB.

If you are using “CDH, HDP, and HDF” or “CDP Private Cloud”, refer to Resolution for TSB-545 - Private Cloud Version

If you are using “CDP Public Cloud”, refer to Resolution for TSB-545 - Public Cloud Version

Running the script

run_log4j_patcher.sh scans a directory for jar files and removes JndiLookup.class from the ones it finds. Do not run any other scripts in this directory--they will be called by run_log4j_patcher.sh automatically.

1. Run the script as root on ALL nodes of your cluster.
   • Script will take 1 mandatory argument (cdh|cdp|hdp)
   • (For CDH and CDP only) The script takes 2 optional arguments: a base directory to scan in, and a backup directory. The default for both are /opt/cloudera and /opt/cloudera/log4shell-backup, respectively. These defaults work for CM/CDH 6 and CDP 7. A different set of directories will be used for HDP.
2. Ensure that the last line of the script output indicates ‘Finished’ to verify that the job has completed successfully. The script will fail if a command exits unsuccessfully.
3. Restart Cloudera Manager Server or Ambari, all clusters, and all running jobs and queries.

    Usage: run_log4j_patcher.sh (subcommand) [options]
    Subcommands:
        help              Prints this message
        cdh               Scan a CDH cluster node
        cdp               Scan a CDP cluster node
        hdp               Scan a HDP cluster node
        hdf               Scan a HDF cluster node

    Options:
        -t <targetdir>          Override target directory (default: distro-specific)
        -b <backupdir>          Override backup directory (default: /opt/cloudera/log4shell-backup)
        -p <dell|ibm|common>    Override platform type (default: common)

    Environment Variables:
        SKIP_JAR          If non-empty, skips scanning and patching .jar files
        SKIP_TGZ          If non-empty, skips scanning and patching .tar.gz files (cdh and cdp only)
        SKIP_HDFS         If non-empty, skips scanning and patching .tar.gz files in HDFS
        RUN_SCAN          If non-empty, runs a final scan for missed vulnerable files. This can take several hours.
        TMPDIR            If non-empty, uses /tmp as the temporary directory. Set a different temporary directory using this.

Example :

1. Run scan without patching jar, tar, and HDFS.

SKIP_JAR=1 SKIP_TGZ=1 SKIP_HDFS=1 RUN_SCAN=1 ./run_log4j_patcher.sh [cdp|cdh|hdp|hdf]

2. Run scan after patching jar, tar, and HDFS.

RUN_SCAN=1 ./run_log4j_patcher.sh [cdp|cdh|hdp|hdf]

3. Run script on an IBM SpectrumScale

./run_log4j_patcher.sh [cdp|cdh|hdp|hdf] -p ibm
NOTE: For IBM Power PC with HDFS clusters, '-p ibm' option is NOT required. Default platform will be picked for such deployments.

4. Run script on an DELL PowerScale/ISILON

./run_log4j_patcher.sh [cdp|cdh|hdp|hdf] -p dell
NOTE: HDFS keytab is mandatory to run the script for DELL Secure clusters. Script expects HDFS headless keytab in '/etc/security/keytabs/hdfs.headless.keytab' path.

HDP Notes : Currently the HDP removal scrips works on folder /user/ on HDFS. Please modify/extent in The hdp_log4j_jndi_removal.sh around line 57.