Title : SUPPORT ADVISORY - DECEMBER 13, 2021 CVE-2021-44228
OverviewIssue:
CVE-2021-44228 “Log4Shell” Zero Day Vulnerability in log4j java library. This has a CVSS score of 10/10.
Affected Versions:
DataStax Enterprise (DSE) versions 5.1, 6.0, 6.7, and 6.8 and OpsCenter are not impacted by CVE-2021-44228 as
DSE uses log4j 1.x java library. DSE is not impacted by log4j 1.x CVE-2021-4104, as it requires an active configuration
of the JMSAppender or someone having privileged access to the database system. JMSAppender does not load
serialized objects, just strings.
DataStax Astra and Astra Streaming were impacted by CVE-2021-44228 and were patched immediately.
DataStax Luna Support has evaluated Apache Cassandra 3.0, 3.11, 4.0 and deemed safe.
DataStax Luna support for Streaming (v2.7.2 and v2.8.0) were impacted by CVE-2021-44228 and were patched
immediately. Users of v2.7.2 and 2.8.0 are urged to immediately upgrade to v 2.7.2_1.1.18 and 2.8.0_1.1.9 respectively.
DataStax Snowflake Sink Connector for Apache Pulsar was impacted by CVE-2021-44228 and was patched immediately.
Users are urged to upgrade to 0.1.1 immediately.
Database community tools like Reaper, Medusa, Quarkus Extension for Apache Cassandra, Management API for
Apache Cassandra, DSBulk, Stargate, and Java Drivers are NOT impacted by CVE-2021-44228.
Initial investigations for the past 72 hours do not show any indication of compromise. DataStax will continue to monitor
and investigate the situation and provide updates of any further developments.
If you have any questions or concerns, please contact DataStax Support from the DataStax customer portal at
https://support.datastax.com .
Background:
On December 9, 2021, Security Researchers found a zero-day vulnerability in log4j java library. Log4j 2 is an open-source
Java logging library developed by the Apache Foundation. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.
The vulnerability allows for unauthenticated remote code execution (RCE). To exploit the vulnerability, an attacker has to
cause the application to save a special string of characters in the log.
The Apache Foundation Log4J team has recommended upgrading all instances of Log4j to Log4j 2.16.0, where the
vulnerability has already been patched.
Mitigation:
The Apache Foundation Log4J team has recommended upgrading all instances of Log4j to Log4j 2.16.0, where the
vulnerability has already been patched.
Note: This article is reproduction of below support article from DataStax community. Please refer to below article for
the latest information.
https://datastaxcommunities.force.com/support/s/article/SUPPORT-ADVISORY-DECEMBER-13-2021-CVE-2021-44228
#OpenSourceOfferings