Log4j RCE 0-day Mitigation

Log4j RCE 0-day Mitigation

Background #

A critical vulnerability CVE-2021-44228 in the Apache Log4j logging library was disclosed on Dec 9. The project provided release 2.15.0 with a patch that mitigates the impact of this CVE. It was quickly found that the initial patch was insufficient, and an additional CVE CVE-2021-45046 followed. This has been fixed in release 2.16.0.

Who is affected? #

The bulk of vitess code is in golang, and is unaffected by these vulnerabilities. The only component that is affected is the vitess-jdbc driver. The java client does not depend on the logging library and is unaffected. If you are a vitess user running the vitess-jdbc driver, you may be vulnerable to attacks that exploit these CVEs.

Affected Releases #

v10.0.0, v10.0.1, v10.0.2, v11.0.0, v11.0.1, v12.0.0

Older releases that are no longer supported by the community have not been analyzed.

Note: v10.0.3, v11.0.2 and v12.0.1 were released on Dec 14 upgrading log4j to 2.15.0, but we have had to follow with another set of releases to upgrade to 2.16.0.

Mitigation #

If you build vitess from source #

Update the dependency in java/pom.xml

<log4j2.version>2.16.0</log4j2.version>

You can see an example here.

If you download vitess artifacts from maven-central #

We have released new artifacts for the supported releases.

References #

https://logging.apache.org/log4j/2.x/security.html