Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

Yashraj avatar image
Yashraj asked Erick Ramirez commented

Is there any impact of the log4j vulnerability CVE-2021-44228 on Cassandra ?

Hello All,

Is there any impact of the log4j vulnerability CVE-2021-44228 on Cassandra ?

cve
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

starlord avatar image
starlord answered

The affected versions are Apache Log4j, versions 2.0-2.14.1, however current DSE products use a version previous to 2.0, so if you use a DSE product you are not affected.

If you use an affected version however, you can utilize the following jvm flag to close the vulnerability:

-Dlog4j2.formatMsgNoLookups=true

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Erick Ramirez avatar image
Erick Ramirez answered Erick Ramirez commented

Apache Cassandra uses logback as the default logger, not Log4j so it is not affected by the vulnerability identified in CVE-2021-44228.

In any case even if you switch to using Log4j over SLF4J, SLF4J uses log4j 1.x which is not affected by the vulnerability. The exploit in CVE-2021-44228 allows an attacker to inject a JNDI or LDAP string. Log4J 2.x is vulnerable to the exploit because it performs lookups using the JNDI -- Log4J 1.x does not have this functionality. Cheers!

2 comments Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hi Erik, Log4j 1.x has reached EOL per Apache (https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces). So the version is considered vulnerable for most of the orgs. So we need to have log4j migrated to 2.16 version. What is the approach to have this fixed with 2.16 and would that be compatible and supported by Datastax.

Thanks,

Muthu

0 Likes 0 ·
Erick Ramirez avatar image Erick Ramirez ♦♦ muthuselvam.chandramohan_158788 ·
I'd recommend you read my answer again. Cassandra uses Logback, not Log4j. Cheers!
0 Likes 0 ·