OpenDistro Data Prepper 1.0.2 - Security Patch

dlv · December 15, 2021, 11:31pm

We released the OpenDistro distribution Data Prepper 1.0.1 last Friday to address a CVE in log4j.

Since then a new CVE was reported - CVE-2021-45046. Today, Data Prepper 1.0.2 is now available, using log4j-2.16.0. This resolves both log4j CVEs.

Please pull the latest version of Docker:

docker pull amazon/opendistro-for-elasticsearch-data-prepper:latest

You can verify you have the correct version using the following.

 docker run amazon/opendistro-for-elasticsearch-data-prepper jar -tvf /usr/share/data-prepper/data-prepper.jar | grep org/apache/logging/log4j/core/ | head -n 10

The dates should be Dec 12, when log4j-2.16.0 was released.

     0 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/
     0 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/config/
     0 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/
 20912 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
     0 Sun Dec 12 23:41:20 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/
     0 Sun Dec 12 23:41:20 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/
  1120 Sun Dec 12 23:41:10 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/SystemClock.class
     0 Sun Dec 12 23:41:14 UTC 2021 org/apache/logging/log4j/core/
  3885 Sun Dec 12 23:41:14 UTC 2021 org/apache/logging/log4j/core/AbstractLifeCycle.class
  3361 Sun Dec 12 23:41:14 UTC 2021 org/apache/logging/log4j/core/AbstractLogEvent.class

dlv · December 16, 2021, 1:30am

The OpenDistro Data Prepper 1.0.2 archives are now available for download. Please visit the OpenDistro downloads page to get the latest versions.

Once you have downloaded and extracted, you can verify that you have the correct version.

You can verify the build date of the log4j files are Dec 12. First, cd into the directory, then run:

jar tvf bin/data-prepper-core-1.0.2.jar | grep org/apache/logging/log4j/core/ | head -n 10

     0 Sun Dec 12 23:41:16 CST 2021 META-INF/org/apache/logging/log4j/core/
     0 Sun Dec 12 23:41:16 CST 2021 META-INF/org/apache/logging/log4j/core/config/
     0 Sun Dec 12 23:41:16 CST 2021 META-INF/org/apache/logging/log4j/core/config/plugins/
 20912 Sun Dec 12 23:41:16 CST 2021 META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
     0 Sun Dec 12 23:41:20 CST 2021 META-INF/versions/9/org/apache/logging/log4j/core/
     0 Sun Dec 12 23:41:20 CST 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/
  1120 Sun Dec 12 23:41:10 CST 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/SystemClock.class
     0 Sun Dec 12 23:41:14 CST 2021 org/apache/logging/log4j/core/
  3885 Sun Dec 12 23:41:14 CST 2021 org/apache/logging/log4j/core/AbstractLifeCycle.class
  3361 Sun Dec 12 23:41:14 CST 2021 org/apache/logging/log4j/core/AbstractLogEvent.class

Topic		Replies	Views
Data Prepper Security Patches Data Prepper cve , security-issue	3	630	December 11, 2021
Data Prepper Security Patches - for Trace Analytics Observability cve , security-issue	1	516	February 6, 2023
Data Prepper 1.2.0 Released! Data Prepper cve	1	536	February 6, 2023
Data Prepper 1.2.1 Released Data Prepper	1	416	February 7, 2023
Data Prepper Distributions Update Data Prepper	1	420	February 7, 2023

OpenDistro Data Prepper 1.0.2 - Security Patch

Related topics