Background #
A critical vulnerability CVE-2021-44228 in the Apache Log4j logging library was disclosed on Dec 9. The project provided release 2.15.0 with a patch that mitigates the impact of this CVE. It was quickly found that the initial patch was insufficient, and an additional CVE CVE-2021-45046 followed. This has been fixed in release 2.16.0.
Who is affected? #
The bulk of vitess code is in golang, and is unaffected by these vulnerabilities. The only component that is affected is the vitess-jdbc driver. The java client does not depend on the logging library and is unaffected. If you are a vitess user running the vitess-jdbc driver, you may be vulnerable to attacks that exploit these CVEs.
Affected Releases #
v10.0.0, v10.0.1, v10.0.2, v11.0.0, v11.0.1, v12.0.0
Older releases that are no longer supported by the community have not been analyzed.
Note: v10.0.3, v11.0.2 and v12.0.1 were released on Dec 14 upgrading log4j to 2.15.0, but we have had to follow with another set of releases to upgrade to 2.16.0.
Mitigation #
If you build vitess from source #
Update the dependency in java/pom.xml
<log4j2.version>2.16.0</log4j2.version>
You can see an example here.
If you download vitess artifacts from maven-central #
We have released new artifacts for the supported releases.