Support Questions

Find answers, ask questions, and share your expertise

log4j2 vulnerability (CVE-2021-44228)

avatar
New Contributor

Hello,

 

I wanted to ask if there's a page / instructions / info regarding the recent log4j2 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and how it can affect Cloudera CDH setups? If it does affect, what are the recommended mitigations on it?

 

Thanks,

Mor

39 REPLIES 39

avatar

It is in deed an important question.

avatar
New Contributor

Following - Cloudera please provide recommendations as this is really urgent.

avatar
Contributor

Please go through below apache docs, its might help 

 

https://logging.apache.org/log4j/2.x/manual/migration.html

avatar
New Contributor

I upgraded log4j to 2.17 0, but the following error occurred when restarting hiveserver2:

 

微信图片_20211224160407.png

avatar
Explorer

Hi All,

 

Is there any impact of CVE-2021-44228 - log4j Arbitrary RCE on CDH 5.x and 6.x??

 

Regards,

Hanu

avatar
Community Manager

Cloudera platform security teams are actively assessing the impact to our on-premises and cloud  products and will provide an impact analysis update to customers as soon as possible.


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hi Team,

 

Currenlty in our organization we are using Cloudera 6.3.1 express edition, recently our company security team came up with log4j CVE-2021-44228  vulnerable, Could you please suggest due to this any problem for cloudera ? 

 

Thanks

Srikanth

avatar
Contributor

I second this question. I currently administer a CDH 5.16 cluster that we're in the process of upgrading to CDP 7.x. Is there a statement from cloudera about the extent of the vulnerablility in their products and how we can go about patching it?

avatar
Explorer

Hi Thomas 

 

Could you please refer to below url , this statement came from apache, but not from Cloudera. 

 

 

https://logging.apache.org/log4j/2.x/security.html

 

Thanks

Srikanth