if you’ve read the news recently, you must hear about the Log4Shell zero-day in log4j, this vulnerability affects at least millions of computer, system, and java applications. I won’t elaborate details here, for more information about this, you can check out from here.
In this article, I will be talking about how to add kong plugins to mitigate log4shell attacks, an engineer at Kong has developed a plugin to mitigate attacks. Kong said their kong products are not affected by log4shell.
Prepare
Download the below files to local. Kong Dockerfile will be used to build a new image, Kong Log4shell is a Kong plugin, and Luarocks is used to install plugin to Kong.
The image will be based on centos 8, plugin tar file, lurocks, lurocks-admin and kong configuration file are needed to place docker-kong/centos/ directory.
Enable Kong Plugin
To make kong aware that it has to look for our plugin, we need to add it to the plugins property in the configuration file, which is separated by a comma.
Update Dockerfile
I’ve updated official Dockerfile by copying luarocks, kong configuration, installing the kong plugin, and setting up permission.
FROM centos:8
LABEL maintainer="Kong <support@konghq.com>"
ARG ASSET=ce
ENV ASSET $ASSET
ARG EE_PORTS
COPY kong.rpm /tmp/kong.rpm
COPY ./luarocks /usr/bin/
COPY ./luarocks-admin /usr/bin/
COPY ./kong-plugin-log4shell.tar.gz /
COPY ./kong.conf.default /etc/kong/kong.conf
ARG KONG_VERSION=2.7.0
ENV KONG_VERSION $KONG_VERSION
ARG KONG_SHA256="d69aedffbecf697482f7ef3f9ea8087e6487702e1683732205aaed108adb0c3d"
# hadolint ignore=DL3033
RUN set -ex; \
if [ "$ASSET" = "ce" ] ; then \
curl -fL https://download.konghq.com/gateway-${KONG_VERSION%%.*}.x-centos-8/Packages/k/kong-$KONG_VERSION.el8.amd64.rpm -o /tmp/kong.rpm \
&& echo "$KONG_SHA256 /tmp/kong.rpm" | sha256sum -c -; \
else \
# this needs to stay inside this "else" block so that it does not become part of the "official images" builds (https://github.com/docker-library/official-images/pull/11532#issuecomment-996219700)
yum update -y \
&& yum upgrade -y ; \
fi; \
yum install -y -q unzip shadow-utils git \
&& yum clean all -q \
&& rm -fr /var/cache/yum/* /tmp/yum_save*.yumtx /root/.pki \
# Please update the centos install docs if the below line is changed so that
# end users can properly install Kong along with its required dependencies
# and that our CI does not diverge from our docs.
&& yum install -y /tmp/kong.rpm \
&& yum clean all \
&& rm /tmp/kong.rpm \
&& chown kong:0 /usr/local/bin/kong \
&& chown -R kong:0 /usr/local/kong \
&& ln -s /usr/local/openresty/bin/resty /usr/local/bin/resty \
&& ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/luajit \
&& ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/lua \
&& ln -s /usr/local/openresty/nginx/sbin/nginx /usr/local/bin/nginx \
&& tar zxvf /kong-plugin-log4shell.tar.gz\
&& cd /kong-plugin-log4shell \
&& luarocks make \
&& chown kong:kong /usr/local/share/lua/5.1/kong/plugins/log4shell \
&& if [ "$ASSET" = "ce" ] ; then \
kong version; \
fi
COPY docker-entrypoint.sh /docker-entrypoint.sh
USER kong
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 8000 8443 8001 8444 $EE_PORTS
STOPSIGNAL SIGQUIT
HEALTHCHECK --interval=10s --timeout=10s --retries=10 CMD kong health
CMD ["kong", "docker-start"]Verify plugins
To make sure plugin is being loaded by Kong, we can start Kong with a debug log level:
docker run -it --rm --name kong -e "KONG_DATABASE=off" -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" -e "KONG_PROXY_ERROR_LOG=/dev/stderr" -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" -e "KONG_LOG_LEVEL=debug" kong:2.7.0
Conclusion
To wrap this up, let’s recap what we’ve learned in this post.
- Log4Shell is a remote code execution vulnerability in Log4J, a popular Java logging library
- No Kong products are affected by log4shell
- Kong-plugin-log4shell plugin can mitigate log4shell attack.
Reference
Log4J, Log4Shell and Kong – KongHQ
Plugin Development – (un)Installing your plugin – v2.7.x | Kong Docs (konghq.com)