Data Prepper Security Patches

Data Prepper
,
1

Please update Data Prepper. The latest versions include a fix for a Log4j vulnerability CVE-2021-44228.

For the OpenSearch distribution, you should install Data Prepper 1.1.1. For the OpenDistro distribution of Data Prepper, please install Data Prepper 1.0.1.

OpenSearch Data Prepper 1.1.1 is available in Docker.

Please pull this version as soon as possible to remedy this vulnerability.

docker pull opensearchproject/data-prepper:latest

or

docker pull opensearchproject/data-prepper:1.1.1

You can validate that you have the fix using the following command:

docker run opensearchproject/data-prepper jar -tvf /usr/share/data-prepper/data-prepper.jar | grep org/apache/logging/log4j/core/ | head -n 10

You should see files files dated Dec 09, 2021

     0 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/
     0 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/config/
     0 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/
 20912 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
     0 Thu Dec 09 11:25:54 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/
     0 Thu Dec 09 11:25:54 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/
  1120 Thu Dec 09 11:25:38 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/SystemClock.class
     0 Thu Dec 09 11:25:44 UTC 2021 org/apache/logging/log4j/core/
  3885 Thu Dec 09 11:25:42 UTC 2021 org/apache/logging/log4j/core/AbstractLifeCycle.class
  3361 Thu Dec 09 11:25:44 UTC 2021 org/apache/logging/log4j/core/AbstractLogEvent.class
2 Likes
2

For users who are still using the ODFE Data Prepper, the Docker update is available. ODFE Data Prepper 1.0.1 is now available in Docker.

amazon/opendistro-for-elasticsearch-data-prepper:latest

You can verify by running the following command:

docker run amazon/opendistro-for-elasticsearch-data-prepper:latest jar -tvf /usr/share/data-prepper/data-prepper.jar | grep org/apache/logging/log4j/core/ | head -n 10

Again, you should see files dated Dec 09, 2021.

3

The OpenDistro Data Prepper 1.0.1 archives are now available for download. Please visit the OpenDistro downloads page to get the latest versions.

Once you have installed, you can verify that you have the correct version.

ls bin/

This should output the version in the jar file.

data-prepper-core-1.0.1.jar

Second, you can check that log4j-core was built on Dec 9, 2021.

jar tvf bin/data-prepper-core-1.0.1.jar | grep org/apache/logging/log4j/core/ | head -n 10

     0 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/
     0 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/config/
     0 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/
 20912 Thu Dec 09 11:25:46 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
     0 Thu Dec 09 11:25:54 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/
     0 Thu Dec 09 11:25:54 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/
  1120 Thu Dec 09 11:25:38 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/SystemClock.class
     0 Thu Dec 09 11:25:44 UTC 2021 org/apache/logging/log4j/core/
  3885 Thu Dec 09 11:25:42 UTC 2021 org/apache/logging/log4j/core/AbstractLifeCycle.class
  3361 Thu Dec 09 11:25:44 UTC 2021 org/apache/logging/log4j/core/AbstractLogEvent.class
1 Like