Hello All,
Is there any impact of the log4j vulnerability CVE-2021-4104 on Opscenter?
We are using Opscenter 6.1.6 and it has /usr/share/opscenter/lib/jvm/log4j-1.2.9.jar
Bringing together the Apache Cassandra experts from the community and DataStax.
Want to learn? Have a question? Want to share your expertise? You are in the right place!
Not sure where to begin? Getting Started
This question was
closed
by
Erick Ramirez for the following reason: Other
Is there any impact of the log4j vulnerability CVE-2021-4104 on OpsCenter ?
The CVE requires the JMSAppender, which neither Opscenterd nor the agents use. Thus, it is not affected by the vulnerability.
As it states in CVE-2021-4104, Log4j 1.2 is vulnerable when an attacker gains access to modify the Log4j configuration file (log4j.properties). An attacker is able to execute arbitrary code IF they configure Log4j to use the JMSAppender and make it point to the attacker's own JNDI LDAP endpoint.
To be clear, Log4j is only vulnerable to this specific exploit with these two scenarios:
- Log4j is configured to use the
JMSAppender. - An attacker gained access to the server to modify configuration files.
OpsCenter is not exposed to scenario #1 because the agent is not configured to use this appender. If scenario #2 is true, then I would suggest that you have bigger problems than just OpsCenter because an attacker has penetrated your environment and circumvented your security measures.
Given that Log4j 1.x has reached it's end of life (EOL), it is being replaced in the next release of OpsCenter. Cheers!
6 People are following this question.
