We released the OpenDistro distribution Data Prepper 1.0.1 last Friday to address a CVE in log4j.
Since then a new CVE was reported - CVE-2021-45046. Today, Data Prepper 1.0.2 is now available, using log4j-2.16.0. This resolves both log4j CVEs.
Please pull the latest version of Docker:
docker pull amazon/opendistro-for-elasticsearch-data-prepper:latest
You can verify you have the correct version using the following.
docker run amazon/opendistro-for-elasticsearch-data-prepper jar -tvf /usr/share/data-prepper/data-prepper.jar | grep org/apache/logging/log4j/core/ | head -n 10
The dates should be Dec 12, when log4j-2.16.0 was released.
0 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/
0 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/config/
0 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/
20912 Sun Dec 12 23:41:16 UTC 2021 META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
0 Sun Dec 12 23:41:20 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/
0 Sun Dec 12 23:41:20 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/
1120 Sun Dec 12 23:41:10 UTC 2021 META-INF/versions/9/org/apache/logging/log4j/core/util/SystemClock.class
0 Sun Dec 12 23:41:14 UTC 2021 org/apache/logging/log4j/core/
3885 Sun Dec 12 23:41:14 UTC 2021 org/apache/logging/log4j/core/AbstractLifeCycle.class
3361 Sun Dec 12 23:41:14 UTC 2021 org/apache/logging/log4j/core/AbstractLogEvent.class