Mitigate log4j vulnerability for Chef Infra Server without upgrading

README.md

Overview

Chef Progress has already begun working on a fix that will be released in the next Chef Infra Server release, see: chef/chef-server#2992

If for some reason you can't upgrade soon here is an alternative. I highly recommend upgrading instead of using this fix. This fix is meant to be a stop gap solution.

Alternative Fix

This only works if you're using a version of Chef Infra Server that ships with elasticsearch. If you're using an old version of Chef Infra Server that is still using solr this won't work.

Quickly validate that you're using a moden version of Chef Infra Server:

sudo ps -ef | grep -i elastic

If you see an elasticsearch process than this fix will most likley work for you.

If you're running an older version of Chef Infra Server you might not even be effected by the vulnerability because the solr instance uses log4j 1.x which, according to some articles, doesn't have the vulnerability.

fix.sh

#!/bin/bash

sudo cp -a  /opt/opscode/embedded/cookbooks/private-chef/templates/default/elasticsearch_jvm.opts.erb  /opt/opscode/embedded/cookbooks/private-chef/templates/default/elasticsearch_jvm.opts.erb-bak

cat <<'eof' | sudo tee -a /opt/opscode/embedded/cookbooks/private-chef/templates/default/elasticsearch_jvm.opts.erb

## RCE 0-day exploit found in log4j, a popular Java logging package
#https://www.randori.com/blog/cve-2021-44228/
#https://github.com/elastic/elasticsearch/issues/81618

-Dlog4j2.formatMsgNoLookups=true
eof

sudo chef-server-ctl reconfigure
sudo chef-server-ctl restart elasticsearch

# Validate
sudo tail -n10 /var/opt/opscode/elasticsearch/config/jvm.options
sudo ps -ef | grep formatMsgNoLookups