Is there any impact of the log4j vulnerability CVE-2021-44228 on Cassandra ?
Bringing together the Apache Cassandra experts from the community and DataStax.
Want to learn? Have a question? Want to share your expertise? You are in the right place!
Not sure where to begin? Getting Started
The affected versions are Apache Log4j, versions 2.0-2.14.1, however current DSE products use a version previous to 2.0, so if you use a DSE product you are not affected.
If you use an affected version however, you can utilize the following jvm flag to close the vulnerability:
In any case even if you switch to using Log4j over SLF4J, SLF4J uses log4j 1.x which is not affected by the vulnerability. The exploit in CVE-2021-44228 allows an attacker to inject a JNDI or LDAP string. Log4J 2.x is vulnerable to the exploit because it performs lookups using the JNDI -- Log4J 1.x does not have this functionality. Cheers!
7 People are following this question.