search

oracle / oci-hdfs-connector

HDFS Connector for Oracle Cloud Infrastructure
https://cloud.oracle.com/cloud-infrastructure
Other
28 stars 26 forks source link

Log4j vulnerability in OCI HDFS Connector #59

Open y-chandra opened 2 years ago

y-chandra commented 2 years ago

Update 2021-12-20 : We've updated the version of log4j dependencies to 2.17.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.3.0). The latest version is available via github source/releases and maven to download and use.

Update 2021-12-20 : Another vulnerability was discovered in version 2.16.0 of log4j that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This vulnerability has been published as CVE-2021-45105. We're working on releasing a new version of the OCI HDFS Connector with log4j version 2.17.0 that has the fix for the aforementioned vulnerability.

Update 2021-12-15 : We've updated the version of log4j dependencies to 2.16.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.2.0). The latest version is available via github source/releases and maven to download and use.

On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. The vulnerability has now been published as CVE-2021-44228. This affects all versions of log4j that are <= 2.14.1

Since all the previous versions of the OCI HDFS Connector have a direct dependency on log4j versions <= 2.14.1, this vulnerability can also be exploited in the OCI HDFS Connector. We will soon release a fix for the tool which will upgrade the version of log4j version to 2.17.0, that contains the fix for the aforementioned vulnerability.

Workaround

As a workaround, customers who use the older versions of the OCI HDFS Connector will need to define a dependency on version 2.17.0 of the following packages, in their project pom file, in order to override the older versions of log4j coming from the OCI HDFS Connector : org.apache.logging.log4j:log4j-core org.apache.logging.log4j:log4j-slf4j-impl org.apache.logging.log4j:log4j-1.2-api org.apache.logging.log4j:log4j

(Comment updated to reflect that CVE-2021-45046 requires upgrading to 2.17.0 or newer.)

mricken commented 2 years ago

To be a little bit more verbose: In your pom.xml file, you can add direct dependencies on log4j version 2.17.0 or newer.

  <dependencies>
    <!-- ... -->
    <dependency>
        <groupId>com.oracle.oci.sdk</groupId>
        <artifactId>oci-hdfs-connector</artifactId>
        <version>3.3.1.0.0.0</version>
    </dependency>
    <!-- Add these with version 2.17.0 or newer -->
    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j</artifactId>
      <version>2.17.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-core</artifactId>
      <version>2.17.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-slf4j-impl</artifactId>
      <version>2.17.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-1.2-api</artifactId>
      <version>2.17.0</version>
    </dependency>
    <!-- ... -->
  </dependencies>

(Comment updated to reflect that CVE-2021-45046 requires upgrading to 2.17.0 or newer.)

mricken commented 2 years ago

It looks like the fix in 2.15.0 was incomplete, and that everyone should upgrade to 2.16.0.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

y-chandra commented 2 years ago

We've updated the version of log4j dependencies to 2.16.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.2.0). The latest version is available via github source/releases and maven to download and use.

y-chandra commented 2 years ago

Another vulnerability was discovered in version 2.16.0 of log4j that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This vulnerability has been published as CVE-2021-45105. We're working on releasing a new version of the OCI HDFS Connector with log4j version 2.17.0 that has the fix for the aforementioned vulnerability.

y-chandra commented 2 years ago

We've updated the version of log4j dependencies to 2.17.0 in our latest release of the OCI HDFS Connector (version 3.3.1.0.3.0). The latest version is available via github source/releases and maven to download and use.

jodoglevy commented 2 years ago

This issue is now resolved -- however, we will leave this GitHub issue open for awareness purposes.