Support Questions

cjervis · ‎12-11-2021

Hello,

I wanted to ask if there's a page / instructions / info regarding the recent log4j2 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and how it can affect Cloudera CDH setups? If it does affect, what are the recommended mitigations on it?

Thanks,

Mor

ThomasHopewell · ‎12-13-2021

Hi Srikanth,

Thanks for that, it's a helpful link.

It would still be great to get something offical from Cloudera. I've emailed our rep with them to see if he has any info. If he gets back to me, I'll drop anything relevant back into this thread.

Regards,

Tom

sri840 · ‎12-14-2021

@ThomasHopewell Thank you for providing info, please let us know if you get any information on this issue .

Thanks

Srikanth

gauravsuri · ‎12-13-2021

Hi Team,

There is a vulnerability reported for Log4J in in the below link:-

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

As per our knowledge, NIFI uses LOGback which is a successor of Log4J, so we should not be having any issues/vulnerabilities with NIFI. But, we wanted to be sure of the same. Please share if in case anyone has any thoughts for NIFI over this.

We are using NIFI 1.8 currently in our organization which uses Logback 1.1.3

Eric_B · ‎12-13-2021

Hive I believe is vulnerable and running 2.10.

dward4 · ‎12-13-2021

I'm also curious about hive, not sure how to remediate.

Eric_B · ‎12-13-2021

Obviously, the best solution would be to replace all jars with the latest Log4j2 jars, but the way Cloudera does things now it might break things. In the long term, better to wait for them to make a statement.

Here's a link that may help, look under workarounds: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

jimcovert · ‎12-13-2021

I noticed this new repo on Cloudera's GitHub but have not seen any official communication about it on Cloudera's site, from our account team, or via the proactive support channels - that makes me leery about using it in our environment.

https://github.com/cloudera/cloudera-scripts-for-log4j

Eric_B · ‎12-13-2021

Agreed. Glad to see anything being done, but an official message needs to be put out before I destroy production lol.

cjervis · ‎12-13-2021

All, please read the Cloudera blog article on this topic:

Cloudera Response to CVE-2021-4428

Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Eric_B · ‎12-13-2021

The TSB is not available unless you have a Knowledge Base subscription. Given the severity of the problem, will this information be made available to the public?

Cloudera Community

Support Questions

log4j2 vulnerability (CVE-2021-44228)