oci-hdfs-connector
oci-hdfs-connector copied to clipboard
oracle
Log4j vulnerability in OCI HDFS Connector
Update 2021-12-20 : We've updated the version of log4j dependencies to 2.17.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.3.0). The latest version is available via github source/releases and maven to download and use.
Update 2021-12-20 : Another vulnerability was discovered in version 2.16.0 of log4j that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This vulnerability has been published as CVE-2021-45105. We're working on releasing a new version of the OCI HDFS Connector with log4j version 2.17.0 that has the fix for the aforementioned vulnerability.
Update 2021-12-15 : We've updated the version of log4j dependencies to 2.16.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.2.0). The latest version is available via github source/releases and maven to download and use.
On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. The vulnerability has now been published as CVE-2021-44228. This affects all versions of log4j that are <= 2.14.1
Since all the previous versions of the OCI HDFS Connector have a direct dependency on log4j versions <= 2.14.1, this vulnerability can also be exploited in the OCI HDFS Connector. We will soon release a fix for the tool which will upgrade the version of log4j version to 2.17.0, that contains the fix for the aforementioned vulnerability.
Workaround
As a workaround, customers who use the older versions of the OCI HDFS Connector will need to define a dependency on version 2.17.0 of the following packages, in their project pom file, in order to override the older versions of log4j coming from the OCI HDFS Connector :
org.apache.logging.log4j:log4j-core
org.apache.logging.log4j:log4j-slf4j-impl
org.apache.logging.log4j:log4j-1.2-api
org.apache.logging.log4j:log4j
(Comment updated to reflect that CVE-2021-45046 requires upgrading to 2.17.0 or newer.)
