// posts

Log4j Security Incident

December 11, 2021

Special Vulnerability Advisory

Last updated: 3 January 2022, 11:13am PST.

Check your project doesn’t use Log4j directly or indirectly. If it does, Log4j versions 2.3.2 (Java 6), 2.12.4 (Java 7), and 2.17.1 (Java 8 and later) are the releases you should update to.

On December 9, 2021 a vulnerability impacting versions 2.0-beta9 to 2.14.1 of the Apache Log4j 2 utility was announced on its GitHub page. This has been assigned CVE-2021-44228.

On December 12, 2021 it was confirmed that versions 1.2:* of the Apache Log4j 2 library are also vulnerable under certain non-default configurations. This has been assigned CVE-2021-4104.

On December 14, 2021, it was announced that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, affecting Log4j versions from 2.0-beta9 to 2.15.0. This has been assigned CVE 2021-45046.

On December 18, 2021, a DoS (denial-of-service) vulnerability was found, affecting Log4j versions from 2.0-beta9 to 2.16.0. This has been assigned CVE-2021-45105.

On December 28, 2021, it was found another way of exploiting previous RCE vulnerabilities if the attacker can modify the logging configuration file. This affects Log4j versions 2.0-alpha7 to 2.17.0 and has been assigned CVE-2021-44832.

Since the first announcement, a wave of cyber attacks exploiting these vulnerabilities in the wild has been taking place.

Our security team has been analyzing its impact for ourselves, as well as for our customers and the larger Python community. Our findings so far are outlined below, and will be updated here regularly.

Overview of CVE-2021-44228, CVE-2021-4104, CVE 2021-45046, CVE-2021-45105 and CVE-2021-44832

Log4j is a Java logging library.

CVE-2021-44228 is a zero-day RCE (remote code execution) vulnerability that is of critical severity and should be remediated immediately. It’s CVSS v3 is 10.0, the maximum possible. A patch for this CVE was included in Log4j version 2.15.0.

CVE-2021-4104 is a similar RCE vulnerability as CVE-2021-44228 but affecting 1.2.* branch and only exploitable under non-default configurations. There’s no fix available. Log4j 1.x branch arrived at End-of-Life in 2015 and has more unfixed vulnerabilities.

CVE-2021-45046 original severity was changed from moderate to severe as security experts found additional exploits against the Log4j 2.15.0 release. Impacts can go from information leaks, RCE and LCE (local code execution). Log4j versions 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue.

CVE-2021-45105 it’s a severe vulnerability that can lead to a complete loss of availability of the exploited service. Log4j versions 2.3.1 (Java 6), 2.12.3 (Java 7), and 2.17.0 (Java 8 and later) handle this issue.

CVE-2021-44832 is a RCE that has medium severity due to requiring the attacker controlling the logging configuration file. Log4j versions 2.3.2 (Java 6), 2.12.4 (Java 7), and 2.17.1 (Java 8 and later) are the releases you should update to, in order to fix all issues.

Additional information about the Log4j vulnerability can be found here, and a growing list of audited software packages that are or may be vulnerable to the Log4j vulnerability can be found here. Please read and review both thoroughly.

PyUp Production Servers

PyUp’s production servers do not use Java, and are therefore not impacted by Log4j. Our team has confirmed that Log4j is not present in these systems.

PyUp’s Safety command line tool

PyUp’s Safety command line tool, which is used by our customers to scan their Python environments for dependency vulnerabilities and track compliance, is not impacted by Log4j. Safety is a Python package and does not rely on any transitive dependencies that may include Log4j.

For PyUp Customers

At this time, we do not require PyUp customers to make any changes or remediate our software or services. We will continue to monitor and research the impact of this vulnerability and we will communicate any changes to this advisory if our customers are impacted.

Dependencies in the Python ecosystem

Our security team has identified 28 Python dependencies that may be run alongside and in conjunction with Log4j. There are likely more impacted and we will keep this list updated as we find more.

Teams that are using any of the dependencies below should take extra caution to investigate the presence and impact of Log4j in their environments. As we discover more about the impact and relationship between these and Log4j we will update this page.

Python dependencies that may imply the existence of Log4j

Apache-airflow

Apache-airflow may be used in conjunction with Log4j. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

Apache-atlas

The Apache-atlas Python client is not affected itself, but its existence implies Apache Atlas is present in the system, which is vulnerable and still didn’t patch all the vulnerabilities. Please ensure Apache Atlas is updated to include this patch. See also this changelog.

This package is used in the latest versions of the following dependencies:

  • amundsen-metadata
  • amundsen-databuilder
  • amundsen-databuilder-neo4j4
  • edp-amundsen-databuilder
  • databuilder-amundsen
  • amundsen-metadata-neo4j4

--

Apache-beam

The Python SDK for Apache-beam. Apache-beam Core was affected and patched last time on December 20, 2021. It’s still affected by the last medium-severity CVE.

This package is used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Apache-flink

Apache-flink is directly affected and was patched last time on December 30, 2021. However, the patched release is still not in PyPI. Please review and upgrade immediately from their Github’s repository master branch.

--

Bernhard-cletus

Bernhard-cletus is a Python client for Riemann. This package may be used in conjunction with Log4j, as indicated in its changelogs. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Bzt

Bzt is directly affected and was patched last time on December 19, 2021. It’s still vulnerable to CVE-2021-45105 and CVE-2021-44832.

--

Ckan

Ckan maintainers claim “It is very unlikely” that the version of Solr used together with this library is affected by this vulnerability. Check here for further information.

--

Collective.recipe.solrinstance

Collective.recipe.solrinstance (also known as “Collective-recipe-solrinstance”) may be used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Feast

The Python SDK for Feast. Feast Core was affected and patched last time on December 20, 2021. It’s still affected by the last medium-severity CVE.

This package is used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

This package is used in the latest versions of the following dependencies:

  • amundsen-databuilder
  • amundsen-databuilder-neo4j4
  • edp-amundsen-databuilder
  • elemeno-ai-sdk
  • databuilder-amundsen

--

Ftw.recipe.solr

Ftw.recipe.solr (also known as “Ftw-recipe-solr”) is directly affected and was patched last time on December 19, 2021. It’s still vulnerable to the newest CVE-2021-44832. See also this changelog.

--

Genomicsdb

Genomicsdb is used in conjunction with Log4j. It includes Python bindings of an affected package and was patched last time on December 18, 2021. It’s still vulnerable to CVE-2021-45105 and CVE-2021-44832. See also this changelog.

--

Goby

Goby may be used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

H2o

H2o is used in conjunction with Java and Log4j. It was vulnerable and patched on December 28, 2021. Please review and upgrade immediately. See also this changelog.

This package is used in the latest versions of the following dependencies:

  • quaeroml-serving
  • animal-classification
  • mercury-ml
  • insolver
  • quartic-sdk
  • Amlr

--

Ksql

Ksql may be used in conjunction with Log4j, as indicated in its changelog. This is a Python wrapper for the Ksql API. The team from Ksql says that they did not use Log4j for logging, but that they did find it in JARS files and have therefore released an update. Please read their update and apply their fix immediately.

--

Launchable

Launchable developers claim the package isn’t affected, as their related JAR file doesn’t contain the vulnerable log4j-core.

--

Logstash

Logstash may be used in conjunction with Log4j, as indicated in its release notes. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Lttngust

Lttngust may be used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Multi-model-server

Using Multi-model-server package requires Java, and can therefore include a vulnerable version of Log4j. This package was patched last time on Dec 21, 2021. It’s still vulnerable to the newest CVE-2021-44832. See also this changelog.

This package is used in the latest versions of the following dependencies:

  • sagemaker-huggingface-inference-toolkit
  • darknet.py

--

Neo4j

Neo4j is a Python driver for Neo4j, which is affected by these vulnerabilities as shown here. Neo4j core package was patched last time on December 20, 2021. It’s still vulnerable to CVE-2021-44832.

--

Pulsar-client

The Apache-pulsar Python client is not affected itself, but its existence implies Apache Pulsar is present in the system, which is affected and was patched on December, 29, 2021. Please ensure Apache Pulsar is updated to include this patch. See also this changelog.

--

Pyathenajdbc

Pyathenajdbc may be used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

This package is used in the latest versions of the following dependencies:

  • pydbconnector-jinghan-ma
  • karnak

--

PySpark

PySpark is a Python API for Apache Spark. Using PySpark requires the Spark JARs that make use of Log4j.

On December 13, 2021, Team Anaconda announced that “CVE-2021-44228 does not affect the core packages in the PyData stack” because “An older 1.x version of Log4j is bundled in their “pyspark” packages, and are therefore not impacted by this vulnerability”.

On December 18, 2021, Apache Spark migrated code to use Log4j version 2.x because log4j 1.x has reached end of life in 2015.

On December 19, 2021, a patch was issued to fix CVE-2021-45105 and on December 29, 2021, another one to fix CVE-2021-44832. Please ensure Apache Spark is updated to the latest repository code to include all patches.

--

Py-hiverunner

Py-hiverunner may be used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Ray

Ray is directly affected and was patched last time on December 17, 2021. It’s still vulnerable to CVE-2021-45105 and CVE-2021-44832. See also this changelog.

--

Saspy

Saspy developers clarified that the library isn’t affected as it “doesn't use log4j, doesn't initialize it and thus there are no logs being written”.

This package is used in the latest versions of the following dependencies:

  • sasoptpy
  • sos-sas

--

Strimzi-kafka-cli

Strimzi-kafka-cli is a command line interface for Strimzi-kafka-operator, which is affected by these vulnerabilities and was patched last time on December, 19, 2021. It’s still vulnerable to the newest CVE-2021-44832.

--

Systemds

Systemds is an interface for working with SystemDS, which uses Java and Log4j package. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems.

--

Thrift

Thrift may be used in conjunction with Log4j, as indicated in its changelog. We advise any team using this package to take extra care in assessing the presence and configuration of Log4j on their systems. Releases of Thrift below version 0.9.2 are potentially affected. All references to Log4j were deleted from this project after version 0.9.2.

This package is used in the latest versions of the following dependencies:

  • 1lever-utils
  • acryl-pyhive
  • ai-flow
  • airflow-indexima
  • airflow-zack
  • alo7-airflow
  • apache-airflow
  • apache-airflow-backport-providers-apache-hive
  • apache-airflow-providers-apache-hive
  • apache-airflow-zack
  • cacheless-airflow
  • cobra-policytool
  • codechat-server
  • codechecker-api
  • compass-ts
  • ctfshell
  • d22d
  • databricks-dbapi
  • databricks-sql-connector
  • dbt-spark
  • django-thrift
  • edu-airflow
  • etl-ml
  • fbctl
  • flawless
  • flexneuart
  • flipper-client
  • focus-lite
  • fsqlfly
  • funicorn
  • hmsclient
  • hrtpsnlpsdk
  • impyla
  • impyla-jz
  • iotdb-session-0-10-1
  • ivystar
  • jsonthrift
  • line4py
  • liyc-hand-superset
  • liyc-superset
  • marvin-python-toolbox
  • modeldb-basic
  • modeldb-community
  • muttlib
  • opencensus-ext-jaeger
  • openmetadata-ingestion
  • openmetadata-sqlalchemy-hive
  • openmetadata-sqlalchemy-pyhive
  • parquet-tools
  • phyre
  • pycquery
  • pyhivehere
  • pypegasus
  • pystellardb
  • python-suanpan
  • scales-rpc
  • serverless-thrift
  • soda-sql
  • soda-sql-hive
  • soda-sql-spark
  • spacy-thrift
  • ssh-jump-hive
  • suanpan
  • suanpan-core
  • superset-master-prasad-bhosale
  • thriftcli
  • thriftcli2
  • thrift-ctx
  • thrift-sasl
  • thrift-tools
  • tikit-test
  • training-grounds
  • twitter.common.zookeeper
  • wflow
  • yoyo-indexima
  • zipline-ai
  • Zipline-ai-dev

--