[BUG] [SECURITY] Log4j CVE Metaissue

[lmeyerov]

Issue BlazingSQL seems potentially vulnerable to the log4j RCE CVE going around due to impacted dependencies like calcite

• CVE: https://securityboulevard.com/2021/12/log4shell-apache-log4j-remote-code-execution/

• Calcite:

• BlazingSQL's use: https://github.com/BlazingDB/blazingsql/search?q=calcite&type=code

• Patch landed: https://github.com/apache/calcite/pull/2640

• Patch not released yet: https://search.maven.org/artifact/org.apache.calcite/calcite-core

Meta

• [ ] Audit: Is BlazingSQL vulnerable?
• [ ] Audit: Which of BlazingSQL's dependencies need patching?
• [ ] Dependency: Calcite

[wmalpica]

We are looking into this. As of right now it seems like its only Calcite that has log4j as a dependency

[lmeyerov]

@wmalpica FYI we did a quick test on where we were worried our use of bsql would expose us to log4j, but seemed ok. We probably only use a tiny bit of bsql surface area relative to your other users though. If helpful, found this useful for confirming whether actively exploitable for a particular use case: https://log4j-tester.trendmicro.com/ .

[aucahuasi]

Hi @lmeyerov , thanks for reporting this.

We did a research and fortunately we are not exposed to this security issue, because we are not using log4j 2.x, but we are using log4j 1.2.17 instead. Also, in our logging configuration, we are not activating anything related with JNDI nor lookups.

Keep in mind that calcite-core 1.28.0 only recently switched to 2.X which is vulnerable, but that is not the version we are using in BlazingSQL. Currently BlazingSQL is using calcite-core 1.23.0.

You can check this by downloading any BlazingSQL package from conda: https://anaconda.org/rapidsai/blazingsql/files for instance:

blazingsql-21.10.00-cuda_11.0_py37_g2a4a99cc8_0.tar.bz2

if you extract this directory you will see the 2 artifacts related with calcite for BlazingSQL in this path:

blazingsql-21.10.00-cuda_11.0_py37_g2a4a99cc8_0/lib/

These are the artifacts:

blazingsql-algebra-core.jar
blazingsql-algebra.jar

The main one here is blazingsql-algebra.jar, so when you extract this file and check

blazingsql-algebra/META-INF/maven/log4j/log4j

You will see that we are using log4j 1.2.17 as per the manifest file indicates.

#Generated by org.apache.felix.bundleplugin
#Sun May 06 13:24:49 CEST 2012
version=1.2.17
groupId=log4j
artifactId=log4j

So that shows that we are not exposed to this issue!