Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

Marcos_Carbonell avatar image
Marcos_Carbonell asked Erick Ramirez edited

Is the Cassandra Docker image cassandra:3.11 vulnerable to the log4j exploit?

Hello!

Given that last week information was disclosed regarding an RCE exploit with the log4j library, we are trying to find out if our docker image of Cassandra 3.11 is vulnerable as well.

The exploit link can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Thanks!

securitydockercve
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered

Apache Cassandra uses logback as the default logger, not Log4j so it is not affected by the vulnerability identified in CVE-2021-44228.

In any case even if you switch to using Log4j over SLF4J, SLF4J uses log4j 1.x which is not affected by the vulnerability. The exploit in CVE-2021-44228 allows an attacker to inject a JNDI or LDAP string. Log4J 2.x is vulnerable to the exploit because it performs lookups using the JNDI -- Log4J 1.x does not have this functionality. Cheers!

Share
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.