Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

What all vulnerabilities related to Log4j1 and Log4j2 are fixed/addressed in CDH 6.3.4?

avatar
author-rank YogeshKumar
New Contributor

Created on ‎11-16-2022 08:08 AM - edited ‎11-16-2022 11:03 AM

I believe below mentioned CVEs are either addressed or fixed through patching in CDH 6.3.4 -

  • CVE-2021-4104 (Log4j1) - as per this article, CDH user doesn't need to do anything to fix this vulnerability.
  • CVE-2021-44228 (Log4j2) -  as per this article, patches are available for this vulnerability for CDH 6.3.4.

But apart from above vulnerabilities, there are few more vulnerabilities of critical, high and moderate severity in Log4j1 and Log4j2 which are - 

Log4j1 - https://logging.apache.org/log4j/1.2/index.html

  • CVE-2019-17571 is a high severity issue targeting the SocketServer.
  • CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink.
  • CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component.
  • CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x.

Log4j2 - https://logging.apache.org/log4j/2.x/security.html

  • CVE-2021-45046 (critical severity) - Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
  • CVE-2021-45105 (moderate severity) - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

[EDITED] - Is CDH 6.3.4 exposed to these, above mentioned, other CVEs? And if so -

Are there any patches released for these vulnerabilities as well for CDH 6.3.4?

988 Views
0 Kudos
2 REPLIES 2

avatar
ask_bill_brooks author-rank
Moderator

Created ‎11-16-2022 08:24 AM

@YogeshKumar 

I'm curious as to exactly how you have determined that, because you have identified that there are previously identified vulnerabilities of critical, high and moderate severity in Log4j1 and Log4j2, that CDH 6.3.4 is exposed to those same vulnerabilities?

 

 

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
978 Views
0 Kudos

avatar
author-rank YogeshKumar
New Contributor

Created on ‎11-16-2022 10:07 AM - edited ‎11-16-2022 11:02 AM

@ask_bill_brooks Thanks for the quick response.

I am not yet sure that CDH 6.3.4 is exposed to those Log4J1 and Log4J2 vulnerabilities or not.

Maybe I should update my question that "...if CDH 6.3.4 is affected by those other CVEs then are there any fixes/patches or not?"

 

 

Thank you for pointing that out.

935 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner