A critical zero-day exploit, known as Log4Shell, affecting the Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021. As soon as Couchbase became aware of this issue, we investigated it immediately within our product and security teams, and took actions to protect our customers.

There are two Couchbase products which are currently affected by this issue. 

  • Couchbase Server Enterprise Edition, when running the Couchbase Analytics service, versions 6.0.0 through 6.6.3 and versions 7.0.0 through 7.0.2.
  • Couchbase Elasticsearch Connector, versions prior to 4.2.13 and 4.3.3.

The Couchbase Server Community Edition is not impacted by this vulnerability, as this product does not contain the Couchbase Analytics service.

The Couchbase Database-as-a-Service, Couchbase Capella, has temporarily disabled the ability to deploy the Analytics Service. Additionally, clusters running the Analytics Service have been secured with an updated security patch.

We are not aware of any other Couchbase products that are affected by the CVE-2021-44228 issue.  We also note that we are not aware of any Couchbase products affected by the additional Log4J CVE-2021-45046 and CVE-2021-45105 security issues.

As our internal investigation progresses, we may update this post with any additional relevant information as needed.  We encourage Couchbase Enterprise subscribers to review our published Knowledge Base Article (login required) for the most up-to-date information.

Couchbase Server:

Couchbase Server version 6.6.4 and Couchbase Server version 7.0.3 with a software update which resolves this vulnerability have been made available today, the 14th of December 2021.

We encourage all customers who utilize the Couchbase Analytics service to upgrade their clusters immediately.  Please visit our download page at http://couchbase.com/downloads to download these new versions. Couchbase Server clusters running the Analytics Service which are managed by the Couchbase Autonomous Operator are also affected and should upgrade to Couchbase Server 6.6.4 or 7.0.3 as appropriate, as soon as possible.

Until customers upgrade to the fixed versions of Couchbase Server, please use the following workaround to mitigate the risk of this vulnerability: 

This command removes the JndiLookup class from any version of the log4j jar files and protects against this exploit:

$ find /opt/couchbase/lib/cbas/repo -name ‘log4j-core*.jar’ -type f  | xargs -I{} sh -c ‘echo patching {}; zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class’

To validate that the JndiLookup class is not present and that the removal command was executed correctly, you can run the following command:

$ find /opt/couchbase/lib/cbas/repo -name ‘log4j-core*.jar’ -type f  | xargs -I{} unzip -l {} ‘*JndiLookup.class’

Archive:  /opt/couchbase/lib/cbas/repo/log4j-core-2.14.1.jar

  Length      Date    Time    Name

———  ———- —–   —-

———                     ——-

        0                     0 files

After applying the removal command to each analytics node, the Cluster Restart API should be used to trigger the restart of all Analytics nodes.

Enterprise subscribers are also encouraged to review our published Knowledge Base Article for additional information on this workaround.

Couchbase Server when Managed by Couchbase Autonomous Operator:

Until a container version is released with an update for Couchbase Server, in a container environment the workaround above may be employed with a different set of steps.

Copy the specific jar file out from the node to a local system, and apply the general workaround.  On Red Hat OpenShift, the commands are similar.  For example:

$ kubectl cp

cb-example-0000:/opt/couchbase/lib/cbas/repo/jars/log4j-core-2.14.1.jar /tmp/log4j-core-2.14.1.jar

$ unzip -l /tmp/log4j-core-2.14.1.jar | grep -i JndiL

  2937  03-06-2021 22:12   org/apache/logging/log4j/core/lookup/JndiLookup.class

$ zip -q -d /tmp/log4j-core-2.14.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class .

$ unzip -l /tmp/log4j-core-2.14.1.jar | grep -i JndiL | wc -l

  0

Then copy the modified JAR file back into the pod.  For example:

$ kubectl cp /tmp/log4j-core-2.14.1.jar  cb-example-0000:/opt/couchbase/lib/cbas/repo/jars/log4j-core-2.14.1.jar

And finally, restart the Couchbase Server related Analytics processes using the Cluster Restart API noted above.  Any new pods created through configuration changes to the CouchbaseCluster resource or any pods recreated in the course of normal operations will need to have the mitigation reapplied.

Couchbase Elasticsearch Connector:

We encourage all customers to upgrade to the latest versions of the Couchbase Elasticsearch Connector, which is provided with a fix for this issue.  Versions 4.2.13 and 4.3.3 are available now. The release notes provide additional details and download links. In the case that you want to mitigate in place, the Knowledge Base Article describes how to update the JAR file in place.

If you have any questions, please visit the Couchbase Community Forums. If you are a Couchbase Enterprise customer and have additional questions, please open a support case.

Author

Posted by Ian McCloy, Principal Product Manager

Ian McCloy is a Principal Product Manager for Couchbase and lives in the United Kingdom. He focuses on security features across the Couchbase portfolio of on-prem, cloud and edge products. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has lead global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design.

Leave a reply