I believe below mentioned CVEs are either addressed or fixed through patching in CDH 6.3.4 -
- CVE-2021-4104 (Log4j1) - as per this article, CDH user doesn't need to do anything to fix this vulnerability.
- CVE-2021-44228 (Log4j2) - as per this article, patches are available for this vulnerability for CDH 6.3.4.
But apart from above vulnerabilities, there are few more vulnerabilities of critical, high and moderate severity in Log4j1 and Log4j2 which are -
Log4j1 - https://logging.apache.org/log4j/1.2/index.html
- CVE-2019-17571 is a high severity issue targeting the SocketServer.
- CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink.
- CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component.
- CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x.
Log4j2 - https://logging.apache.org/log4j/2.x/security.html
- CVE-2021-45046 (critical severity) - Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
- CVE-2021-45105 (moderate severity) - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
[EDITED] - Is CDH 6.3.4 exposed to these, above mentioned, other CVEs? And if so -
Are there any patches released for these vulnerabilities as well for CDH 6.3.4?
