Puppet response to recent Log4j vulnerabilities FAQ

• January 20, 2021: this article was updated to include the release of Comply 2.2.2, resolving the Log4j vulnerability in a third-party component. Further details below.
• December 28, 2021: this article was updated to include the Puppet Response to CVE-2021-44832. Further details below.
• December 20, 2021: this article was updated to include the Puppet Response to CVE-2021-45105. Further details below.
• December 17, 2021: This article was updated to include the Puppet Response to CVE-2021-45046. Please see updates below.
• December 15, 2021: This article was updated on December 15th to acknowledge that Puppet Comply may also be vulnerable to CVE-2021-44228 due to a third-party component that provides key functionality to the product. Puppet Comply does not use Log4j directly. Further details below.

What is the vulnerability?

CVE-2021-44228 is a remote code execution (RCE) vulnerability in the popular open source Log4j logging library, a third-party component used in Continuous Delivery for Puppet Enterprise. By exploiting this vulnerability, malicious actors can log a malicious string, and can use that string to perform arbitrary actions on a target system.

Please note that a vulnerability in a third-party component that provides key functionality to Puppet Comply has recently been discovered. More information on this below.

Additional information:

• National Vulnerability Database information on the CVE
• Apache releases Log4j version 2.15.0 to address critical RCE vulnerability under exploitation

What Puppet products are impacted?

Continuous Delivery for PE versions 3.x and 4.x.

The pattern matching layout in Continuous Delivery for PE 4.10.3 does not use a Context Lookup or Thread Context Map Pattern described in CVE-2021-45046. As such, CVE-2021-44228 is not exploitable in the latest release of Continuous Delivery for PE, version 4.10.3. Additionally, we are actively working on our next release of Continuous Delivery for PE which will include Apache Log4j 2.16.0. The next version of Continuous Delivery for PE will be released as soon as safely possible.

As of December 17, the severity of CVE-2021-45046, the fix to address CVE-2021-44228 in Apache Log4j 2.15.0, has been changed from medium to critical. In response, we have released Continuous Delivery for PE version 4.10.4 with Apache Log4j 2.16.0. We still do not believe that Continuous Delivery for PE is vulnerable given the Log4j configuration and mitigation, but want to provide our users with the most up to date software possible as the situation evolves.

On December 20, in response to a new Log4j vulnerability, we released Continuous Delivery for PE version 4.10.5 with Apache Log4j 2.17.0. For more information regarding the vulnerability Continuous Delivery for PE 4.10.5 addresses, visit: https://nvd.nist.gov/vuln/detail/CVE-2021-45105.

On December 28, a new vulnerability was identified in Log4j through versions 2.17.0. This is identified as CVE-2021-44832. Puppet has determined that none of our products are vulnerable to being exploited by this issue. The Log4j configuration in our product cannot be modified by users which is a requirement for this vulnerability to be exploited. Puppet will include an update to Log4j as part of the regular release cadence.

Puppet Comply

Puppet Comply may be vulnerable to the recent Log4j vulnerability known as “log4shell” and identified as CVE-2021-44228 due to a third-party component that provides key functionality to the product. The Comply server is not vulnerable to this vulnerability. Hosts running the scanner may be vulnerable to an escalation of privilege (EoP) vulnerability under certain circumstances.

It is worth noting that Puppet Comply does not use Log4j directly, but a third-party component that provides key functionality to the product does. 

As of January 20, Puppet released Puppet Comply 2.2.2 which resolved security vulnerabilities present in the following embedded, third-party dependency for CIS-CAT Pro Assessor v4.13.1. The log4j-core library was updated to version 2.17.0.

Is Puppet Enterprise impacted?

After an extensive security audit of the Puppet product portfolio, Puppet Enterprise is not impacted.

How do you mitigate this vulnerability?

Continuous Delivery for PE version 4.x

1. Add the following to Java virtual machine arguments in the Advanced configuration and tuning section of the Config page in Puppet Application Manager:

   -Dlog4j.formatMsgNoLookups=true

2. Redeploy when prompted by Puppet Application Manager.

Continuous Delivery for PE version 3.x

Either option listed below works, pick the one that works with what you have in place in your organization.

Option 1: Set a variable in the env-file

1. On the Continuous Delivery for PE host, create or update a file at /etc/puppetlabs/cd4pe/env-extra with the following contents:

   JVM_ARGS=-Dlog4j.formatMsgNoLookups=true

   If you already have an environmental variable named JVM_ARGS defined, update it to include -Dlog4j.formatMsgNoLookups=true

2. Add the following argument to cd4pe_docker_extra_params on the cd4pe class:

   ["--env-file /etc/puppetlabs/cd4pe/env-extra"]

Option 2: Direct environmental variable

Pass the following to cd4pe_docker_extra_params on the cd4pe class:

["-e JVM_ARGS=-Dlog4j.formatMsgNoLookups=true"]

If you already have an environmental variable named JVM_ARGS defined, update it to include -Dlog4j.formatMsgNoLookups=true

Puppet Comply

As of December 15, Puppet was waiting for the third-party vendor to release a patch. Once the vendor has released a patch, Puppet will release an update for Puppet Comply. 

As of January 20, Puppet released Puppet Comply 2.2.2 which resolved security vulnerabilities present in the following embedded, third-party dependency for CIS-CAT Pro Assessor v4.13.1. The log4j-core library was updated to version 2.17.0.

What is Puppet doing to mitigate CVE-2021-44228?

Continuous Delivery for PE version 4.x

We have upgraded to a version of Log4j not vulnerable to this issue. This fix is available in Continuous Delivery for PE 4.10.3. Upgrade to 4.10.3 to install this fix.

As of December 17th, we have released a newer version of Continuous Delivery for PE: 4.10.4 to address the recently upgraded severity of CVE-2021-45046, the fix to address CVE-2021-44228 in Apache Log4j 2.15.0, from medium to critical. Continuous Delivery for PE 4.10.4 includes Log4j 2.16.0.

On December 20th, we released Continuous Delivery for PE version 4.10.5 to address the recently published Log4j vulnerability, CVE-2021-45105. Continuous Delivery for PE version 4.10.5 includes Log4j 2.17.0. Upgrade to 4.10.5 to install the fix.

Continuous Delivery for PE version 3.x

As communicated in our End of Life notice, we do not support new release versions of Continuous Delivery for PE 3.x and do not release security fixes for 3.x. To address this remote code execution (RCE) vulnerability, follow the mitigation steps detailed above. However, we strongly recommend upgrading to version 4.x.

As of December 17th, the severity of CVE-2021-45046, the fix to address CVE-2021-44228 in Apache Log4j 2.15.0, has been changed from medium to critical. As such, we have released version 4.10.4 with Apache Log4j 2.16.0.

For Continuous Delivery for PE customers on version 3.x, since 3.x is end of life, there is no release version of 3.x. The mitigation steps supplied above for version 3.x may help with vulnerabilities; however, we are unable to identify how much. Customers on 3.x who take the mitigation steps should continue to monitor their systems closely. We highly recommend upgrading to version 4.10.4.

On December 20th, we released Continuous Delivery for PE version 4.10.5 to address the recently published Log4j vulnerability, CVE-2021-45105. Continuous Delivery for PE version 4.10.5 includes Log4j 2.17.0.

For Continuous Delivery for PE customers on version 3.x, since 3.x is end of life, there is no release version 3.x. We highly recommend upgrading to version 4.10.5.

What do you do if you get a Job cd4pe-migrate-object-store is invalid error when upgrading to 4.10.4?

To troubleshoot this error, please visit this knowledge base article

Puppet Comply

As of January 20, Puppet released Puppet Comply 2.2.2 which resolved security vulnerabilities present in the following embedded, third-party dependency for CIS-CAT Pro Assessor v4.13.1. The log4j-core library was updated to version 2.17.0.