Calico Enterprise affected by CVE-2021-44228
Customers running Calico Enterprise may be vulnerable to remote code execution via log4j in Elasticsearch. Calico Enterprise’s deployment of Elasticsearch uses a vulnerable version of log4j, which may allow a remote attacker to download and execute code if an attacker-controlled string is logged. Calico Enterprise v3.4 and later include network policies that restrict Elasticsearch egress access to external IPs by default. Calico Enterprise deployments without Elasticsearch are unaffected by this vulnerability.
Calico Cloud has already addressed this vulnerability and is no longer affected.
Calico Opensource does not use Elasticsearch and is unaffected by this vulnerability.
A successful attack will allow a remote attacker to retrieve a payload from an external resource and execute the payload on the Elasticsearch pod. Calico Enterprise v3.4 and later have network policies that restrict the Elasticsearch pod from accessing non-Calico services, pods and external IPs. Further compromise to the cluster will be needed for the attacker to retrieve its payload.
- Calico Enterprise (all versions, v3.4 and above have mitigation in place)
Indicators of Impact/Compromise
Elasticsearch reaching external IPs and non Calico related workloads. If the egress network policy is in place, deny traffic can be seen.
Workaround / Remediation
For Enterprise v3.4 or higher: verify that the network policies were applied: `kubectl get networkpolicy.p -n tigera-elasticsearch allow-tigera.elasticsearch-access`. If application of network policies was skipped during installation, apply the policy file found in the installation document you followed.
Updated releases containing patched Elasticsearch software will be published once fixed Elasticsearch releases are available.
Return to List