To clarify about the mitigations: the "-Dlog4j2.formatMsgNoLookups=true" mitigation that has been floating around the Internet is *not effective* for log4j 2.8.2, which was used by Druid 0.22.0 and other recent versions. If you are going to stay on an older version of Druid, do not use this mitigation. Instead, use one of the two that we mention in our advisory.
(But upgrading is best!) On Sat, Dec 11, 2021 at 1:50 AM Jihoon Son <jihoon...@apache.org> wrote: > Severity: critical > > > Description: > > Apache Druid uses the Java logging library Apache Log4j, which has > recently been identified to have a critical vulnerability that could > lead to remote code execution (RCE). This vulnerability is triggered > when an attacker can control any part of a log message. Due to the > wide attack surface, it is critical that all Druid users patch or > mitigate this vulnerability as soon as possible. > > The Log4j advisory is available at > https://nvd.nist.gov/vuln/detail/CVE-2021-44228. > > > Affected versions: > > Druid 0.22.0 and earlier are affected. > > > Mitigation: > > We recommend that all users upgrade to Druid 0.22.1, which contains > Apache Log4j 2.15.0. This version of Log4j has a fix for the > vulnerability. > > If you are unable to upgrade Druid at this time, we recommend > deploying a mitigation. Please refer to the Log4j announcement for > details on possible mitigations: > https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4. > > Different Log4j versions have different mitigation options. Check the > "lib" directory of your Druid installation for the "log4j-core" jar to > see what version of Log4j you have. Recent versions of Druid use Log4j > 2.8.2. Two possible mitigations for Log4j 2.8.2 are: > > 1) Specify "%m{nolookups}" in the PatternLayout configuration of your > log4j2.xml file. Druid installations may have multiple log4j2.xml > files; be sure to update all of them. > > 2) Remove the JndiLookup and JndiManager classes from the log4j-core jar. > > These mitigations require a cluster restart to take effect. > > > References: > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org > >
