Cloudera Logging is a modified Apache Log4j 1.2.x compatible logging library included with Cloudera on premises Base 7.1.7 SP1 that is created, distributed, and maintained by Cloudera to address the recent vulnerabilities in Apache Log4j 1.2.x.
While Apache Log4j 2.x is actively maintained by the Apache Software Foundation community, 1.2.x isn't and many Cloudera components rely on Log4j 1.2.x libraries. Because there is limited compatibility between 1.2.x and 2.x, we created Cloudera Logging which was forked from Apache Log4J 1.2.17 and maintained by Cloudera internally to provide customers with a more secure, stable, and maintained logging library that's compatible with 1.2.x and includes security fixes from the Log4j and Reload4j community fork. To help ensure that Cloudera Logging stays current with the latest community work, Cloudera's product security and compliance teams are monitoring the Log4j and Reload4j communities for new issues and, when identified, work to include fixes in Cloudera Logging as applicable.
With Cloudera on premises Base 7.1.7 SP1, Cloudera Logging includes fixes for CVE-2020-9488, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307.
Please reach out to your Cloudera account team if you have any questions or would like to upgrade to the latest version of Cloudera on premises Base 7.1.7 SP1.
Additional resources:
