question Re: log4j2 vulnerability (CVE-2021-44228) in Support Questions

log4j2 vulnerability (CVE-2021-44228)

MorK — Mon, 13 Dec 2021 15:09:23 GMT

Hello,

I wanted to ask if there's a page / instructions / info regarding the recent log4j2 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and how it can affect Cloudera CDH setups? If it does affect, what are the recommended mitigations on it?

Thanks,

Mor

Re: log4j2 vulnerability

MartinTerreni — Sun, 12 Dec 2021 09:41:58 GMT

It is in deed an important question.

Re: log4j2 vulnerability

RajeshTripathy — Sun, 12 Dec 2021 21:33:39 GMT

Following - Cloudera please provide recommendations as this is really urgent.

Re: log4j2 vulnerability

Shahrukh — Mon, 13 Dec 2021 03:26:21 GMT

Please go through below apache docs, its might help

https://logging.apache.org/log4j/2.x/manual/migration.html

CVE-2021-44228 - log4j Arbitrary RCE

Hanumantha — Mon, 13 Dec 2021 07:30:59 GMT

Hi All,

Is there any impact of CVE-2021-44228 - log4j Arbitrary RCE on CDH 5.x and 6.x??

Regards,

Hanu

Regarding log4j CVE-2021-44228

sri840 — Mon, 13 Dec 2021 09:41:23 GMT

Hi Team,

Currenlty in our organization we are using Cloudera 6.3.1 express edition, recently our company security team came up with log4j CVE-2021-44228 vulnerable, Could you please suggest due to this any problem for cloudera ?

Thanks

Srikanth

Re: Regarding log4j CVE-2021-44228

ThomasHopewell — Mon, 13 Dec 2021 10:04:55 GMT

I second this question. I currently administer a CDH 5.16 cluster that we're in the process of upgrading to CDP 7.x. Is there a statement from cloudera about the extent of the vulnerablility in their products and how we can go about patching it?

Re: Regarding log4j CVE-2021-44228

sri840 — Mon, 13 Dec 2021 10:19:28 GMT

Hi Thomas

Could you please refer to below url , this statement came from apache, but not from Cloudera.

https://logging.apache.org/log4j/2.x/security.html

Thanks

Srikanth

Remote code injection in Log4j affect on NIFI

gauravsuri — Mon, 13 Dec 2021 10:58:54 GMT

Hi Team,

There is a vulnerability reported for Log4J in in the below link:-

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

As per our knowledge, NIFI uses LOGback which is a successor of Log4J, so we should not be having any issues/vulnerabilities with NIFI. But, we wanted to be sure of the same. Please share if in case anyone has any thoughts for NIFI over this.

We are using NIFI 1.8 currently in our organization which uses Logback 1.1.3

Re: Regarding log4j CVE-2021-44228

ThomasHopewell — Mon, 13 Dec 2021 13:54:42 GMT

Hi Srikanth,

Thanks for that, it's a helpful link.

It would still be great to get something offical from Cloudera. I've emailed our rep with them to see if he has any info. If he gets back to me, I'll drop anything relevant back into this thread.

Regards,

Tom

Re: CVE-2021-44228 - log4j Arbitrary RCE

cjervis — Mon, 13 Dec 2021 13:59:27 GMT

Cloudera platform security teams are actively assessing the impact to our on-premises and cloud products and will provide an impact analysis update to customers as soon as possible.

Re: log4j2 vulnerability (CVE-2021-44228)

Eric_B — Mon, 13 Dec 2021 16:26:36 GMT

Hive I believe is vulnerable and running 2.10.

Re: log4j2 vulnerability (CVE-2021-44228)

dward4 — Mon, 13 Dec 2021 19:00:50 GMT

I'm also curious about hive, not sure how to remediate.

Re: log4j2 vulnerability (CVE-2021-44228)

Eric_B — Mon, 13 Dec 2021 19:04:16 GMT

Obviously, the best solution would be to replace all jars with the latest Log4j2 jars, but the way Cloudera does things now it might break things. In the long term, better to wait for them to make a statement.

Here's a link that may help, look under workarounds: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Re: log4j2 vulnerability (CVE-2021-44228)

jimcovert — Mon, 13 Dec 2021 19:09:26 GMT

I noticed this new repo on Cloudera's GitHub but have not seen any official communication about it on Cloudera's site, from our account team, or via the proactive support channels - that makes me leery about using it in our environment.

https://github.com/cloudera/cloudera-scripts-for-log4j

Re: log4j2 vulnerability (CVE-2021-44228)

Eric_B — Mon, 13 Dec 2021 19:15:43 GMT

Agreed. Glad to see anything being done, but an official message needs to be put out before I destroy production lol.

Re: log4j2 vulnerability (CVE-2021-44228)

cjervis — Mon, 13 Dec 2021 19:58:10 GMT

All, please read the Cloudera blog article on this topic:

Cloudera Response to CVE-2021-4428

Re: log4j2 vulnerability (CVE-2021-44228)

Baxy — Mon, 13 Dec 2021 20:28:27 GMT

Latest Cloudera Hive JDBC driver 2.6.15 contains shaded log4j2 v2.13.3 (according to pom.xml in META-INF/maven/org.apache.logging.log4j/log4j-core)

Re: log4j2 vulnerability (CVE-2021-44228)

Eric_B — Mon, 13 Dec 2021 21:47:13 GMT

The TSB is not available unless you have a Knowledge Base subscription. Given the severity of the problem, will this information be made available to the public?

Re: log4j2 vulnerability (CVE-2021-44228)

ask_bill_brooks — Tue, 14 Dec 2021 06:46:45 GMT

@Eric_B Yes. There is a link for non-customers of Cloudera in the blog article linked above. It's at the end of the paragraph beginning "What Cloudera products and versions are affected?"