Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

shehzadjahagirdar_185613 avatar image
shehzadjahagirdar_185613 asked Erick Ramirez answered

What is the impact of the log4j vulnerability CVE-2021-44228 on Cassandra 3.11.3?

What is the impact of the log4j vulnerability CVE-2021-44228 on apache Cassandra 3.11.3 version?Also if we update the log4j -over-slf4j-1.7.7.jar from lib folder will it impact apache cassandra 3.11.3 performance.

cve
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered

Apache Cassandra uses logback as the default logger, not Log4j so it is not affected by the vulnerability identified in CVE-2021-44228.

In any case even if you switch to using Log4j over SLF4J, SLF4J uses log4j 1.x which is not affected by the vulnerability. The exploit in CVE-2021-44228 allows an attacker to inject a JNDI or LDAP string. Log4J 2.x is vulnerable to the exploit because it performs lookups using the JNDI -- Log4J 1.x does not have this functionality. Cheers!

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.