Skip to main content

Amazon Linux Log4jhotpatch Error with Streamsets Datacollector

rvlozano
StreamSets Employee

Issue:

Since December 2021, Amazon Linux 1 and 2 uses Log4jhotpatch by default in their AMI images. The Tool/Service injects a Java agent into a running JVM process and attempts to add an "agent" jar file in Streamsetsā€™ class path. This may cause an error during Streamsets start up because java security policies. Error usually occurs when using systemd or init.d startup scripts with Streamsets services (e.g. Data Collector).  The error does not effect the Streamsets Service in anyway. Streamsets has already has remediation instructions and patches in place. Please read for further information.

Technical Service Bulletin 2021-12-14 (TSB) - Update on Apache Log4j Zero-day Vulnerability Assessment and Remediation (CVE-2021-44228)

 

Error:

Exception in thread "Attach Listener" java.lang.ExceptionInInitializerError
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
  at sun.instrument.InstrumentationImpl.loadClassAndCallAgentmain(InstrumentationImpl.java:411)
    Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermiss... "read")
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
  at java.security.AccessController.checkPermission(AccessController.java:886)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
  at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
  at java.lang.System.getProperty(System.java:755)
  at Log4jHotPatch.<clinit>(Log4jHotPatch.java:59)
... 6 more
Agent failed to start

 

Resolution:

Disable the Log4jHotPatch tool by running the following command:

sudo touch /etc/log4j-cve-2021-44228-hotpatch.kill

Then restart the Streamsets service (e.g. Data Collector)

 

References:

Announcements  Amazon Linux Hotpatch Announcement for Apache Log4j
https://alas.aws.amazon.com/announcements/2021-001.html

Hotpatch for Apache Log4j
https://aws.amazon.com/blogs/opensource/hotpatch-for-apache-log4j/

Drew Kreiger
alejandro.alfonso
2 people like this
  • Drew Kreiger
    Drew Kreiger
  • alejandro.alfonso
    alejandro.alfonso

0 replies

Be the first to reply!

Reply


Terms & Conditions