Is the Cassandra Docker image cassandra:3.11 vulnerable to the log4j exploit?

Question

question

Marcos_Carbonell asked Dec 13, '21 Erick Ramirez edited Dec 14, '21

Is the Cassandra Docker image cassandra:3.11 vulnerable to the log4j exploit?

Hello!

Given that last week information was disclosed regarding an RCE exploit with the log4j library, we are trying to find out if our docker image of Cassandra 3.11 is vulnerable as well.

The exploit link can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Thanks!

security docker cve

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2021-12-14T04:47:40Z

Erick Ramirez answered Dec 14, '21

Apache Cassandra uses logback as the default logger, not Log4j so it is not affected by the vulnerability identified in CVE-2021-44228.

In any case even if you switch to using Log4j over SLF4J, SLF4J uses log4j 1.x which is not affected by the vulnerability. The exploit in CVE-2021-44228 allows an attacker to inject a JNDI or LDAP string. Log4J 2.x is vulnerable to the exploit because it performs lookups using the JNDI -- Log4J 1.x does not have this functionality. Cheers!

Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

question