Administrator Administrator

Apache Log4j Security Vulnerabilities

event 2021-12-24 visibility 344 comment 0 insights toc
insights Stats

In the past few weeks, Apache Log4j security vulnerabilities were on news everywhere. As Kontext publishes a few installation guides for Hadoop, Spark, Hive, Kafka and others that uses Log4j, this article shows you some information to find out the impacts and how to fix them. 

warning All Kontext installation guides are published for learning purpose, please don't use it for production usage. 

What are impacted

Page Apache projects affected by log4j CVE-2021-44228 lists all the impacted Apache projects. For the installation guides on Kontext, Hive is the only one that is impacted. 

About the vulnerabilities

Refer to this page to understand more of the details and how to fix them:


The following is from the above page that summarizes the fix for Log4j 2.x:

Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
Alternatively, this infinite recursion issue can be mitigated in configuration:
In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.

Always refer to the official page about the latest information.

More from Kontext
comment Comments
No comments yet.

Please log in or register to comment.

account_circle Log in person_add Register

Log in with external accounts