Hello All,
Is there any impact of the log4j vulnerability CVE-2021-44228 on Cassandra ?
This question was
closed
by
Erick Ramirez for the following reason: Other
Is there any impact of the log4j vulnerability CVE-2021-44228 on Cassandra ?
The affected versions are Apache Log4j, versions 2.0-2.14.1, however current DSE products use a version previous to 2.0, so if you use a DSE product you are not affected.
If you use an affected version however, you can utilize the following jvm flag to close the vulnerability:
-Dlog4j2.formatMsgNoLookups=true
Apache Cassandra uses logback as the default logger, not Log4j so it is not affected by the vulnerability identified in CVE-2021-44228.
In any case even if you switch to using Log4j over SLF4J, SLF4J uses log4j 1.x which is not affected by the vulnerability. The exploit in CVE-2021-44228 allows an attacker to inject a JNDI or LDAP string. Log4J 2.x is vulnerable to the exploit because it performs lookups using the JNDI -- Log4J 1.x does not have this functionality. Cheers!
Hi Erik, Log4j 1.x has reached EOL per Apache (https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces). So the version is considered vulnerable for most of the orgs. So we need to have log4j migrated to 2.16 version. What is the approach to have this fixed with 2.16 and would that be compatible and supported by Datastax.
Thanks,
Muthu
I'd recommend you read my answer again. Cassandra uses Logback,
not Log4j. Cheers!
7 People are following this question.
