Open Source Offerings

 View Only

Update December 20, 2021 - Datastax support advisory for CVE-2021-44228, Zero Day Vulnerability in log4j java library

By Forhad Ahad posted Wed December 22, 2021 06:32 PM

SUPPORT ADVISORY - DECEMBER 20, 2021- Additional Log4j Vulnerabilities and fixes

URL Name


The DataStax team has been made aware of a fifth security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up. 

Affected DataStax product versions:
DataStax Enterprise (DSE) versions 5.1, 6.0, 6.7, and 6.8 were not impacted by CVE-2021-44228 as DSE has Log4j 1.x code, but it is not used.  DSE is not impacted by Log4j 1.x CVE-2021-4104 or Log4j CVE-2019-17571, as it requires an active configuration of the JMSAppender or someone having privileged access to the database system. JMSAppender does not load serialized objects, just strings. DataStax is planning the removal of the Log4j code completely from DSE. 
DataStax Astra and Astra Streaming were impacted by CVE-2021-44228 and were patched immediately to Log4j 2.15.0, and once CVE 2021-45046 was announced, DataStax upgraded Astra and Astra Streaming to Log4j 2.16.0. Upgrades for Astra DB to log4j 2.16.0 are complete, and upgrades and verification to Log4j 2.17 are in progress.
DataStax Luna Support has evaluated Apache Cassandra 3.0, 3.11, 4.0 and deemed them safe. 
DataStax Luna support for Streaming (v2.7.2 and v2.8.0) were impacted by CVE-2021-44228 and were patched immediately to 2.16.0 and are complete. Upgrades and verification to Log4j 2.17.0 is in progress.
Users of v2.7.2 and 2.8.0 are urged to immediately upgrade to v 2.7.2_1.1.18 and 2.8.0_1.1.9 respectively.
DataStax Snowflake Sink Connector for Apache Pulsar was impacted by CVE-2021-44228 and was patched immediately. Users are urged to upgrade to 0.1.1 immediately. 
DataStax Studio versions are all impacted up to version 6.8.16 by the Log4j security vulnerabilities. DataStax released Studio version 6.8.17 with log4j 2.15, and then Studio version 6.8.18 with log4j 2.16. DataStax will release Studio version 6.8.19 later today that will have the log4j 2.17.0 security patch in it.
Database community tools like Reaper, Medusa, Quarkus Extension for Apache Cassandra, Management API for Apache Cassandra, DSBulk, Stargate, and Java Drivers are NOT impacted by CVE-2021-44228, CVE-2021-4104, CVE-2019-17571, CVE-2021-45046, or CVE-2021-45105 

DataStax OpsCenter and DataStax OpsCenter agents were not impacted as OpsCenter uses Simple Logging Facade for Java (SLF4J) and OpsCenter Agent uses Log4J 1.2.17.
Initial investigations for the past 10 days do not show any Indicators of Compromise(IoCs). DataStax will continue to monitor and investigate the situation and provide updates of any further developments. 

DataStax is currently aware of five Common Vulnerabilities and Exposures (CVEs) that have impacted the Log4j java version library over the last 10 days: 
CVE-2021-44228 is a zero-day security vulnerability with a CVSS high risk score of 10/10 that allows for Remote Code Execution (RCE) in Log4j java libraries version 2.0 - 2.14.0 when user input that contains Java Naming and Directory Interface (JNDI) lookup pointing to a malicious server, Log4j would then resolve the look up and allow for the download of potentially malicious java code form the remote server, that can be executed remotely. Log4j 2.15.0 was released to mitigate this zero-day security vulnerability.
CVE-2021-4104 is a second vulnerability with a CVSS high risk score of 8.1/10 found in the Java logging library Apache Log4j in version 1.x, where the Java Message Service (JMS) Appender in Log4j 1.x is vulnerable to deserialization of untrusted data that allows a remote code execution if the application is configured to use JMS Appender. 
CVE-2019-17571 is a third security vulnerability with a CVSS high risk score 9.8/10, identified within Log4j 1.x. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited. 
CVE-2021-45046 is a fourth security vulnerability with a CVSS low risk score of 3.7/10 that was found when addressing the fix for CVE-2021-4428, that Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Mapped Diagnostic Context (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 was released and tried to resolve this issue by removing support for message lookup patterns and disabling JNDI functionality by default. 

CVE-2021-45105 is a fifth security vulnerability with a CVSS high risk score of 7.5 /10 that fails to protect from uncontrolled recursion from self-referential lookups. Versions prior to 2.17.0 are susceptible to a vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup. When successfully exploited this could allow attackers with control over Thread Context Map (MDC) input data to craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. Log4j work to resolve this by only allowing lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
The Apache Foundation has recommended all Log4j java libraries be patched with Log4j 2.17.0 for Java 8 and up. DataStax has systematically upgraded affected products to 2.15.0, 2.16.0, and is now in the process of upgrading and verifying the upgrade to Log4j 2.17.0.