FAQ: How is Humio Responding to the Log4j Log4Shell Vulnerability

Last Updated: 2021-11-21

Between late November and early December 2021, a critical vulnerability (CVE-2021-44228) impacting the function:Log4j v2 logging framework was reported. This has been identified as the log4shell issue. On December 15th, a second vulnerability (CVE-2021-45046) was identified and added to this issue.

The Apache Log4j library is used in many Java-based solutions to aid in logging, tracing and reporting information within a Java application. The result is that log4j v2 use is widespread throughout the Java community, particularly in Apache software products, including Apache Web Servers, Kafka, and elsewhere. The specific vulnerability within log4j v2 enables remote code execution through relatively simple methods.

All versions of log4j v2 from 2.0-beta9 to 2.14.1 are affected.

log4j v2 2.15 and later have been patched and fixed.

log4j v2 2.16 provided a further update, also removing the ability to perform these lookups by default (CVE-2021-45046)

Versions of log4j v1 are not directly affected by this issue, but are affected by other vulnerabilities.

Who is affected?

Due to the severity of the vulnerability, Humio recommends all customers to upgrade to a patched version as soon as possible, regardless of your configuration.

What has Humio done?

Danger.  Due to the severity of the vulnerability, Humio recommends all customers to upgrade to a patched version as soon as possible

On Friday, December 10th, Humio updated dependencies to use Log4j 2.15. These updates were deployed to all cloud instances. This addressed CVE-2021-44228.

On Wednesday, December 15th, Humio updated the dependencies to use Log4j 2.16. These updates were deployed to all cloud instances. This addresses CVE-2021-45046.

On Friday, December 10th, Humio provided an update to Humio dependencies to update to use Log4j 2.15. Humio Cloud and Humio Community Editions were also updated. This addresses CVE-2021-44228.

On Wednesday, December 15th, Humio update the dependencies updating to Log4j 2.16. Humio Cloud and Humio Community Editions were also updated. This addresses CVE-2021-45046.

The following versions include updated dependencies:

  • Humio 1.30.6

  • Humio 1.32.6

  • Humio 1.34.0

Humio will continue to watch and monitor the situation and provide updates and guidance when available.

What Should I do?

If you are using Humio Cloud, or Humio Community Edition, the product has already been updated to a version that addresses the issue.

If are using self-hosted Humio, please update to at least one of the following versions:

  • Humio 1.30.6

  • Humio 1.32.6

  • Humio 1.34.0

You should also upgrade any tools that are known to use log4j v2. Please visit the appropriate vendor and follow the update guidance for your tools to ensure that you are using a version of the product with a patched update to the vulnerability.

Other Tools

Kafka: Kafka uses log4j 1.2.17, and has no dependence on log4j v2, which is the version that has the "Log4Shell" vulnerabilities. Apache Kafka maintainers are actively working on updating to Log4j v2, and will be updating to at least 2.16. This update will patch the known Log4Shell vulnerabilities. Please visit the Apache Kafka project's security page for more information.

It's important to assess the use of Log4j v2 throughout your environment, and to patch vulnerable infrastructure by upgrading to v2.16+ wherever possible.

Log4j v2 may be embedded as a library component in a wide range of your vendor's products & applications, and the list of impacted vendors continues to grow. We strongly recommend that you follow vendor-specific guidance for mitigation, patching, and update procedures.