FAQ: How is LogScale Responding to the Log4j Log4Shell Vulnerability
Last Updated: 2021-11-21
Between late November and early December 2021, a critical vulnerability (CVE-2021-44228) impacting the function:Log4j v2 logging framework was reported. This has been identified as the log4shell issue. On December 15th, a second vulnerability (CVE-2021-45046) was identified and added to this issue.
The Apache Log4j library is used in many Java-based solutions to aid in
logging, tracing and reporting information within a Java application.
The result is that
log4j v2 use is widespread
throughout the Java community, particularly in Apache software products,
including Apache Web Servers, Kafka, and elsewhere. The specific
log4j v2 enables remote code
execution through relatively simple methods.
All versions of
log4j v2 from 2.0-beta9 to 2.14.1
log4j v2 2.15 and later have been patched and
log4j v2 2.16 provided a further update, also
removing the ability to perform these lookups by default
log4j v1 are not directly affected by
this issue, but are affected by other vulnerabilities.
Who is affected?
Due to the severity of the vulnerability, LogScale recommends all customers to upgrade to a patched version as soon as possible, regardless of your configuration.
What has LogScale done?
Danger. Due to the severity of the vulnerability, LogScale recommends all customers to upgrade to a patched version as soon as possible
On Friday, December 10th, LogScale updated dependencies to use Log4j 2.15. These updates were deployed to all cloud instances. This addressed CVE-2021-44228.
On Wednesday, December 15th, LogScale updated the dependencies to use Log4j 2.16. These updates were deployed to all cloud instances. This addresses CVE-2021-45046.
On Friday, December 10th, LogScale provided an update to LogScale dependencies to update to use Log4j 2.15. LogScale Cloud and LogScale Community Editions were also updated. This addresses CVE-2021-44228.
On Wednesday, December 15th, LogScale update the dependencies updating to Log4j 2.16. LogScale Cloud and LogScale Community Editions were also updated. This addresses CVE-2021-45046.
The following versions include updated dependencies:
LogScale will continue to watch and monitor the situation and provide updates and guidance when available.
What Should I do?
If you are using LogScale Cloud, or LogScale Community Edition, the product has already been updated to a version that addresses the issue.
If are using self-hosted LogScale, please update to at least one of the following versions:
You should also upgrade any tools that are known to use
log4j v2. Please visit the appropriate vendor and
follow the update guidance for your tools to ensure that you are using
a version of the product with a patched update to the vulnerability.
Kafka: Kafka uses log4j 1.2.17, and has no dependence on log4j v2, which is the version that has the "Log4Shell" vulnerabilities. Apache Kafka maintainers are actively working on updating to Log4j v2, and will be updating to at least 2.16. This update will patch the known Log4Shell vulnerabilities. Please visit the Apache Kafka project's security page for more information.
It's important to assess the use of Log4j v2 throughout your environment, and to patch vulnerable infrastructure by upgrading to v2.16+ wherever possible.
Log4j v2 may be embedded as a library component in a wide range of your vendor's products & applications, and the list of impacted vendors continues to grow. We strongly recommend that you follow vendor-specific guidance for mitigation, patching, and update procedures.
Where Can I find More Information?
For further questions and concerns contact support at LogScale Support