https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357796#M237668 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/101861">@YogeshKumar</a>&nbsp;</P> <P>I'm curious as to exactly how you have determined that, because you have identified that there are previously identified vulnerabilities of critical, high and moderate severity in Log4j1 and Log4j2, that CDH 6.3.4 is exposed to those same vulnerabilities?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 16 Nov 2022 16:24:06 GMT ask_bill_brooks 2022-11-16T16:24:06Z https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357794#M237667 <P>I believe below mentioned CVEs are either addressed or fixed through patching in CDH 6.3.4 -</P><UL><LI><A class="fui-Link ___m14voj0 f3rmtva f1ern45e f1deefiw f1n71otn f1q5o8ev f1h8hb77 f1vxd6vx f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f9n3di6 f1ids18y fygtlnl f1deo86v f12x56k7 f1iescvh ftqa4ok f50u1b5 fs3pq8b f1hghxdh f1tymzes f1x7u7e9 f1cmlufx f10aw75t fsle3fq" title="https://www.cvedetails.com/cve/CVE-2021-4104/" href="https://www.cvedetails.com/cve/CVE-2021-4104/" target="_blank" rel="noopener noreferrer"><SPAN>CVE-2021-4104</SPAN></A>&nbsp;(Log4j1) - as per <A href="https://community.cloudera.com/t5/Support-Announcements/Cloudera-response-to-CVE-2021-4104/ba-p/332287" target="_self">this</A> article, CDH user doesn't need to do anything to fix this vulnerability.</LI><LI><A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" target="_self">CVE-2021-44228</A>&nbsp;(Log4j2) -&nbsp; as per this article, patches are available for this vulnerability for CDH 6.3.4.</LI></UL><P>But apart from above vulnerabilities, there are few more vulnerabilities of critical, high and moderate <SPAN>severity</SPAN> in Log4j1 and Log4j2 which are -&nbsp;</P><P>Log4j1 -&nbsp;<A href="https://logging.apache.org/log4j/1.2/index.html" target="_blank" rel="noopener">https://logging.apache.org/log4j/1.2/index.html</A></P><UL><LI><A href="https://www.cvedetails.com/cve/CVE-2019-17571/" target="_blank" rel="noopener">CVE-2019-17571</A><SPAN>&nbsp;is a high severity issue targeting the SocketServer.</SPAN></LI><LI><A href="https://www.cvedetails.com/cve/CVE-2022-23302/" target="_blank" rel="noopener">CVE-2022-23302</A><SPAN>&nbsp;is a high severity deserialization vulnerability in JMSSink.</SPAN></LI><LI><A href="https://www.cvedetails.com/cve/CVE-2022-23305/" target="_blank" rel="noopener">CVE-2022-23305</A><SPAN>&nbsp;is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component.</SPAN></LI><LI><SPAN><A href="https://www.cvedetails.com/cve/CVE-2022-23307/" target="_blank" rel="noopener">CVE-2022-23307</A>&nbsp;is a critical severity against the chainsaw component in Log4j 1.x.</SPAN></LI></UL><P><SPAN>Log4j2 -&nbsp;<A href="https://logging.apache.org/log4j/2.x/security.html" target="_blank" rel="noopener">https://logging.apache.org/log4j/2.x/security.html</A></SPAN></P><UL><LI><SPAN><A class="fui-Link ___m14voj0 f3rmtva f1ern45e f1deefiw f1n71otn f1q5o8ev f1h8hb77 f1vxd6vx f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f9n3di6 f1ids18y fygtlnl f1deo86v f12x56k7 f1iescvh ftqa4ok f50u1b5 fs3pq8b f1hghxdh f1tymzes f1x7u7e9 f1cmlufx f10aw75t fsle3fq" title="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" target="_blank" rel="noopener noreferrer"><SPAN>CVE-2021-45046</SPAN></A>&nbsp;(critical severity) - Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.</SPAN></LI><LI><SPAN><A class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105" target="_blank" rel="noopener">CVE-2021-45105</A>&nbsp;(moderate severity) - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.</SPAN></LI></UL><P>[<STRONG>EDITED</STRONG>] - Is CDH 6.3.4 exposed to these, above mentioned, other CVEs? And if so -</P><P>Are there any patches released for these vulnerabilities as well&nbsp;for CDH 6.3.4?</P> Wed, 16 Nov 2022 19:03:47 GMT https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357794#M237667 YogeshKumar 2022-11-16T19:03:47Z https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357796#M237668 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/101861">@YogeshKumar</a>&nbsp;</P> <P>I'm curious as to exactly how you have determined that, because you have identified that there are previously identified vulnerabilities of critical, high and moderate severity in Log4j1 and Log4j2, that CDH 6.3.4 is exposed to those same vulnerabilities?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 16 Nov 2022 16:24:06 GMT https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357796#M237668 ask_bill_brooks 2022-11-16T16:24:06Z https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357806#M237671 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35418">@ask_bill_brooks</a>&nbsp;Thanks for the quick response.</P><P>I am not yet sure that CDH 6.3.4 is exposed to those Log4J1 and Log4J2 vulnerabilities or not.</P><P>Maybe I should update my question that "...if CDH 6.3.4 is affected by those other CVEs then are there any fixes/patches or not?"</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you for pointing that out.</P> Wed, 16 Nov 2022 19:02:45 GMT https://community.cloudera.com/t5/Support-Questions/What-all-vulnerabilities-related-to-Log4j1-and-Log4j2-are/m-p/357806#M237671 YogeshKumar 2022-11-16T19:02:45Z