Lab - Deploy Example (Log4Shell)
FIX_MISSING_IMAGES
Access the Student VM via SSH
The student VM host serves as an important access point into the environment, so you must ensure you can connect to it.
Requirements
-
The ssh address for the bastion host:
-
For example, 'lab-user@bastion.4klh8.sandbox1150.opentlc.com'
-
-
The username and password for the Linux student VM (lab-user)
This information will be available in the services tab at demo.redhat.com. Or in the lab provisioning email. |
Procedure
-
Connect to your student VM host using the command and password you received in the provisioning email:
ssh lab-user@bastion.<$GUID>.<$BASEDOMAIN> The authenticity of host' bastion.4klh8.sandbox1150.opentlc.com (3.134.153.6)' cant be established. ED25519 key fingerprint is SHA256:g0H5C1vP1xNqhL7fp0HxMRDPgjgzuAdi3ZIyKQl1mPU. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
-
Verify that the GUID variable is set correctly for your environment:
echo $GUID c3po
Your GUID may be a 4- or 5-character alphanumeric string. |
Test Log4Shell Policy
In this lab, you demonstrate how to quickly stop workloads with log4shell
vulnerabilities from deploying using Red Hat Advanced Cluster Security for Kubernetes (RHACS). You also learn how to locate workloads with log4shell
.
The Log4Shell policy is a build- and deployment-time policy. It analyses the image file for vulnerable Java™ Log4J versions.
Deploy Vulnerable Image
ADD COMMENTARY
Procedure
-
Let’s start by creating a new project and deploying a vulnerable Log4Shell application.
oc new-project log4shell Now using project "log4shell" on server "https://api.cluster-fdg9s.fdg9s.sandbox674.opentlc.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname
-
Deploy the vulnerable application.
-
Create a Deployment manifest file:
cat << EOF >deploy.yaml apiVersion: apps/v1 kind: Deployment metadata: name: log4shell namespace: log4shell spec: replicas: 1 selector: matchLabels: deployment: log4shell template: metadata: labels: deployment: log4shell spec: containers: - image: quay.io/gpte-devops-automation/log4shell-vuln-app:v0.1.1 imagePullPolicy: IfNotPresent name: log4shell ports: - containerPort: 8080 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File restartPolicy: Always EOF
-
Create the Deployment based on the manifest file:
oc create -f ./deploy.yaml
-
Notice the application was deployed without issues.
Check for vulnerability in ACS dashboard.
It is now possible to see the Log4Shell vulnerability in the ACS dashboard.
Procedure
-
In the ACS dashboard, navigate to Violations
Notice Log4Shell: log4j Remote Code Execution vulnerability
is now visible in the violations list.
-
Click on the
Log4Shell: log4j Remote Code Execution vulnerability
to get more information on the violation. -
Click on the Deployment tab to view information about the vulnerable deployment.
-
Click on the Policy tab to view the current policy.
-
Delete the log4shell deployment:
oc delete -f ./deploy.yaml
Set Deploy Time Enforcement to On
You must enable deploy-time enforcement for the Log4Shell: log4j Remote Code Execution vulnerability
policy.
Procedure
-
Navigate to Platform Configuration → Policy Management and find the policy called
Log4Shell: log4j Remote Code Execution vulnerability
.To find the policy quickly, type Policy
followed byLog4Shell
into the filter bar on the Policy Management page. -
Select the policy by clicking the three dots to the right and select
Edit policy
. -
Use the
Policy Behavior
tab and enable runtime enforcement by clicking theinform and enforce button
underResponse Method
-
Scroll down to
Configure enforcement behavior
and switch both theEnforce on Build
andDEnforce on Deploy
selectors to on. -
Click Review Policy on the left and Save.
-
Redeploy the vulnerable image
oc create -f ./deploy.yaml
-
Examine the output and note that the Deployment failed to start:
Error from server (Failed currently enforced policies from StackRox): error when creating "./deploy.yaml": admission webhook "policyeval.stackrox.io" denied the request: The attempted operation violated 1 enforced policy, described below: Policy: Log4Shell: log4j Remote Code Execution vulnerability - Description: ↳ Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2. - Rationale: ↳ These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup. - Remediation: ↳ Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class - Violations: - CVE-2021-44228 (CVSS 10) (severity Critical) found in component 'log4j' (version 2.14.1) in container 'log4shell' - CVE-2021-45046 (CVSS 9) (severity Critical) found in component 'log4j' (version 2.14.1) in container 'log4shell' In case of emergency, add the annotation {"admission.stackrox.io/break-glass": "ticket-1234"} to your deployment with an updated ticket number
You might get a different message, detailed below. RHACS has not yet scanned the image, and is blocking unscanned images from deployment. If that is the case, simpley run the
oc create -f ./deploy.yaml
again and it will have scanned the image. Now the deployment will trigger the log4j violations above.Error from server (Failed currently enforced policies from StackRox): error when creating "./deploy.yaml": admission webhook "policyeval.stackrox.io" denied the request: The attempted operation violated 1 enforced policy, described below: Policy: Images with no scans - Description: ↳ Alert on deployments with images that have not been scanned - Rationale: ↳ Without a scan, there will be no vulnerability information for this image - Remediation: ↳ Configure the appropriate registry and scanner integrations so that StackRox can obtain scans for your images. - Violations: - Image in container 'log4shell' has not been scanned In case of emergency, add the annotation {"admission.stackrox.io/break-glass": "ticket-1234"} to your deployment with an updated ticket number