Hello All,
Is there any impact of the log4j vulnerability CVE-2021-4104 on Opscenter?
We are using Opscenter 6.1.6 and it has /usr/share/opscenter/lib/jvm/log4j-1.2.9.jar
As it states in CVE-2021-4104, Log4j 1.2 is vulnerable when an attacker gains access to modify the Log4j configuration file (log4j.properties
). An attacker is able to execute arbitrary code IF they configure Log4j to use the JMSAppender
and make it point to the attacker's own JNDI LDAP endpoint.
To be clear, Log4j is only vulnerable to this specific exploit with these two scenarios:
JMSAppender
.OpsCenter is not exposed to scenario #1 because the agent is not configured to use this appender. If scenario #2 is true, then I would suggest that you have bigger problems than just OpsCenter because an attacker has penetrated your environment and circumvented your security measures.
Given that Log4j 1.x has reached it's end of life (EOL), it is being replaced in the next release of OpsCenter. Cheers!
6 People are following this question.
DataStax Enterprise is powered by the best distribution of Apache Cassandra ™
© 2023 DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.
Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.
Privacy Policy Terms of Use