December 10, 2021
A very serious vulnerability in the popular Java-based logging package Log4j was disclosed on December 9, 2021. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE).
Be advised that Dremio Software is NOT AFFECTED by this Apache Log4j vulnerability. Dremio uses logback for its logging framework. [1]
Vulnerability: CVE-2021-44228
Published Date: 12/10/2021
Dremio takes security extremely seriously and it’s embedded in our DNA. Both for our Dremio Software and Dremio Cloud offerings we build everything with security in mind and prioritize accordingly.
This below will address any remaining concerns regarding naming convention with log4j related packages that we bundle with Dremio Software [2]:
- org.slf4j:log4j-over-slf4j:1.7.28
- This is the bridging module that redirects calls made to log4j to slf4j.
- Dremio Software uses Logback (not log4j) with slf4j.
- org.apache.logging.log4j:log4j-1.2-api:2.13.3
- org.apache.logging.log4j:log4j-api:2.13.3
- org.apache.logging.log4j:log4j-to-slf4j:2.13.3
- This is the bridging module that redirects calls made to log4j to slf4j.
- Dremio uses Logback (not log4j) with slf4j.
Dremio scans all our builds with OWASP Dependency-Check every day. The results for the scans are also negative for our builds.
Notes
[1] Logback is a fork of log4j from the 1.x version. Log4j 1.x is not impacted by the CVE-2021-44228
[2] Versions of the log4j named libraries bundled with different Dremio Software versions might be different, but none of them are vulnerable to CVE-2021-44228
If you have further questions, please contact Dremio Support via the Support Portal.
|