Cloudera is aware of CVE-2021-4104, which affects the Apache Log4j 1.x JMSAppender. This flaw only affects software that is explicitly configured to use the JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender. Cloudera does not use JMSAppender in its products and it is not used by default in log4j properties. Cloudera customers do not need to take any action to address CVE-2021-4104. If you have further questions, please contact Cloudera Support through our My Cloudera Support portal.
Because Cloudera Manager and Ambari allow authenticated users with privileged access to modify cluster configuration to insert custom logging configuration, customers are advised to review the logging configuration for their clusters to ensure that they do not contain references to the JMSAppender. To find these settings, look for the following based on the cluster management tool in use:
- Cloudera Manager: "{SERVICE_NAME} Logging Advanced Configuration Snippet (Safety Valve)"
- Ambari: “Advanced{SERVICE_NAME}-log4j”