Apache Log4j Security Vulnerabilities
In the past few weeks, Apache Log4j security vulnerabilities were on news everywhere. As Kontext publishes a few installation guides for Hadoop, Spark, Hive, Kafka and others that uses Log4j, this article shows you some information to find out the impacts and how to fix them.
What are impacted
Page Apache projects affected by log4j CVE-2021-44228 lists all the impacted Apache projects. For the installation guides on Kontext, Hive is the only one that is impacted.
About the vulnerabilities
Refer to this page to understand more of the details and how to fix them: https://logging.apache.org/log4j/2.x/security.html.
Fixes
The following is from the above page that summarizes the fix for Log4j 2.x:
Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
Alternatively, this infinite recursion issue can be mitigated in configuration:
In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.
Always refer to the official page about the latest information.