On December 10th 2021, the Apache Software Foundation released version 2.15.0 of the Log4j Java logging library, fixing CVE-2021-44228, a remote code execution vulnerability affecting Log4j 2.0-2.14. An attacker can use this vulnerability to instruct affected systems to download and execute a malicious payload through submitting a custom-crafted request. This vulnerability is critical and is rated 10 out of 10 on the CVSS 3.1 scoring scale.
How is Cloudera responding to this vulnerability?
Software and services across our industry and open source communities use Log4j for handling log messages. Cloudera’s security and engineering teams have identified the impact of this CVE across our product suite, and Cloudera customers have been sent detailed updates through Cloudera’s Technical Support Bulletins (TSB) and My Cloudera support cases.
What Cloudera products and versions are affected?
Multiple Cloudera products and open source projects use Log4j to process log messages. The Cloudera support team has provided the list of impacted products and versions to our Cloudera customers through a detailed TSB. If you are not an existing Cloudera customer, please go here.
What do Cloudera customers need to do to mitigate this CVE?
We encourage customers to review the details in our TSB and apply workarounds immediately. At the same time, customers should plan to upgrade to soon-to-be-released versions of Cloudera software that include fixes for this CVE.
It’s also important to understand that this vulnerability is not limited to Cloudera products. This vulnerability can affect underlying infrastructure software as well as workloads customers run on top of Cloudera products, such as Spark jobs or Flink applications. We recommend that customers assess their entire environment for the use of Log4j and remediate it as soon as possible.
Should customers wait for a new Cloudera release or use suggested remediation?
The situation is critical, and exploits and bypasses are beginning to propagate on the internet. Unless you know your environment is fully protected with compensating controls, we recommend that customers immediately address the situation with the proposed remediation and plan to upgrade to upcoming software releases.
Please create a support case through My Cloudera for any further questions or clarifications.