Skip to main content

December 2021 Log4j Vulnerabilities Advisory

  • Updated
Published:    Dec 10, 2021 12:33 PM PST
Last Updated: Apr 6, 2022 12:08 PM PST (See Changelog below)

 

Background

A security vulnerability was made public on December 9 in log4j2, a commonly used logging library for Java applications. The vulnerability allows remote code execution on impacted systems through untrusted input provided by an attacker. We immediately began monitoring for and responding to this vulnerability when it was reported.

 

Security of Confluent's fork of Log4j 1.x (confluent-log4j) and Impact to Confluent Platform

Update as of 04/05/2022: Please refer to the individual CP Security release notes for additional security hardening updates on Confluent’s fork of Log4j v1.

Confluent maintains a private fork (confluent-log4j) of Log4j 1.x that is used by Confluent Platform. We have provided fixes to this fork to address security issues in Log4j v1.x that have been disclosed in the past. We continue to scan Confluent Platform products on a regular basis including direct and transitive dependencies, and monitor for any new vulnerabilities and assess the impact to our customers.

On December 13, 2021, Red Hat updated an advisory related to CVE-2021-4104 where Log4j 1.x is vulnerable if the deployed application is configured to use JMSAppender.

At this time, we are not issuing an update to this fork to address CVE-2021-4104 because we do not ship any of our software with JMSAppender enabled, which is a direct requirement for exploitability, along with the requirement of privileged access to modify Log4j configuration to perform an exploit

As a reminder, Log4j 1.x (and thus confluent-log4j) does not offer the same Lookup functionality as Log4j 2.x and thus is not vulnerable to CVE-2021-44228. We will continue to monitor and provide updates should additional developments arise pertaining to these and address any new CVEs in upcoming patch releases.

 

Impact to Confluent Cloud

Confluent has mitigated all known exposure to the log4j2 vulnerability in Confluent Cloud.

We have not observed any successful exploitation of the vulnerability in Confluent Cloud. We will continue to diligently monitor Confluent Cloud for any attempted exploitation for this or other vulnerabilities.

 

Impact to Confluent Platform

Confluent Platform 7.0 contains the log4j2 library, while earlier versions do not.

Our investigation has not found an exploitable vector in Confluent Platform where an attacker can trigger the vulnerability.

We have released a software update that removes the vulnerable version of the log4j2 library out of an abundance of caution. The updated version is 7.0.1.

 

Impact to Confluent for Kubernetes

Confluent for Kubernetes (CFK) contains the log4j2 library in versions 2.2.0 and 2.1.0 of confluentinc/confluent-init-container.

Our investigation has not found any exploitable conditions in Confluent for Kubernetes where an attacker can trigger the vulnerability.

We have released a software update that removes the vulnerable version of the log4j2 library, out of an abundance of caution. The updated versions are confluentinc/confluent-init-container 2.1.0-1 and 2.2.0-1.

 

Impact to Apache Kafka®

Apache Kafka has released an advisory indicating that Kafka is not impacted by vulnerabilities involving log4j2.

 

Impact to Connectors

Confluent has mitigated all known exposure to the log4j2 vulnerability to connectors running on Confluent Cloud.

We are continuing to investigate the impact of the vulnerability on connectors distributed on Confluent Hub and used on a self-managed basis with Confluent Platform.

As of this update, our investigation of Confluent-supported connectors has identified that the following connectors contained a vulnerable version of the log4j2 library:

Connector

Update status

ElasticSearch Sink Connector

Updated version based on Log4j 2.17.1 available (11.1.8) via Confluent Hub.

Google DataProc Sink Connector

Updated version based on Log4j 2.16.0 available (1.1.5) via Confluent Hub.

Splunk Sink Connector

Updated version based on Log4j 2.16.0 available (2.0.5) via Confluent Hub.

HDFS 2 Sink Connector

Updated version based on Log4j 2.17.1 available (10.1.4) via Confluent Hub.

HDFS 3 Sink Connector

Updated version based on Log4j 2.17.1 available (1.1.9) via Confluent Hub.

VMware Tanzu GemFire Sink Connector

Updated version based on Log4j 2.16.0 available (1.0.8) via Confluent Hub.

 

For connectors on Confluent Hub that are not Confluent-supported, please contact the software provider directly for any updates. We will list updated versions of these connectors as we receive them:

Connector

Update status

Azure Cosmos DB Connector (Source and Sink)

Updated version based on Log4j 2.16.0 available (1.2.2) via Confluent Hub.

Datadog Logs Sink Connector

Updated version based on Log4j 2.16.0 available (1.0.2) via Confluent Hub.

 

Impact to Community/Standalone Package of ksqlDB

ksqlDB Community/Standalone includes the log4j2 library in versions 0.22.0 and earlier. As noted above, Confluent has mitigated all known exposure to the log4j vulnerability in Confluent Cloud and Confluent Platform which includes ksqlDB.

Our investigation has not found any exploitable conditions in ksqlDB where an attacker can trigger the vulnerability.

We have released a software update that removes the vulnerable version of the log4j2 library, out of an abundance of caution. The updated version is 0.23.1.

 

Impact Analysis on Community Package of Confluent Platform

Confluent’s community package does not include or rely upon Log4j 2.x. The community package also relies upon Confluent’s fork of Log4j 1.x (confluent-log4j), which is not vulnerable to CVE-2021-44228. The community package does not ship with JMS Appender configured by default, which means the Confluent community package is not impacted by CVE-2021-4104.

 

Changelog

  • April 6, 2022 12:08 PM PST
    • Added the "Update as of 04/05/2022" section to the first section of the article.
  • April 5, 2022 2:19 PM PST
    • Moved the Security of Confluent's fork of Log4j 1.x (confluent-log4j) and Impact to Confluent Platform section to the top of the article
    • Added a link to the latest Security Release Notes noting the latest hardening of Confluent's Log4j fork
  • January 28, 2022 10:46 AM PST
    • Connectors table updated to indicate Log4j 2.17.1 update to ElasticSearch Sink Connector, HDFS 2 Sink Connector and HDFS 3 Sink Connector
  • December 17, 2021 10:30 AM PST
    • Community/Standalone Package of ksqlDB section updated with 0.23.1 release
    • Replaced links in Confluent for Kubernetes section with docs.confluent.io
  • December 15, 2021  3:35 PM PST
    • Connectors table updated to indicate Log4j v2.16.0 update to Google DataProc Sink Connector
  • December 15, 2021 12:10 PM PST
    • Confluent for Kubernetes section added
    • Community/Standalone Package of ksqlDB section added
    • Connectors table updated to include connector versions based on Log4j v2.16.0 instead of Log4j v2.15.0 related to CVE-2021-45046
    • Changelog added
  • December 14, 2021 3:48 PM PST
    • Apache Kafka® section added
  • December 13, 2021 3:53 PM PST
    • Additional updates to Connectors section
  • December 13, 2021 3:25 PM PST
    • Security of Confluent's fork of Log4j 1.x (confluent-log4j) section added
    • “Impact Analysis on Community Package of Confluent Platform” section added
    • Title updated to “December 2021 Log4j Vulnerabilities Advisory”
  • December 12, 2021 11:29 PM PST
    • Additional updates to Connector section
  • December 12, 2021 9:29 PM PST
    • Connectors section added
  • December 10, 2021 1:45 PM PST
    • Update published to confirm availability of CP 7.0.1 release
  • December 10, 2021 12:33 PM PST
    • Initial publication for Confluent Platform and Confluent Cloud customers

 

 

Was this article helpful?
32 out of 35 found this helpful
Return to top

Related articles