[ad_1]
Abstract
On December tenth 2021, the Apache Software program Basis launched model 2.15.0 of the Log4j Java logging library, fixing CVE-2021-44228, a distant code execution vulnerability affecting Log4j 2.0-2.14. An attacker can use this vulnerability to instruct affected methods to obtain and execute a malicious payload by means of submitting a custom-crafted request. This vulnerability is important and is rated 10 out of 10 on the CVSS 3.1 scoring scale.
How is Cloudera responding to this vulnerability?
Software program and companies throughout our trade and open supply communities use Log4j for dealing with log messages. Cloudera’s safety and engineering groups have recognized the influence of this CVE throughout our product suite, and Cloudera clients have been despatched detailed updates by means of Cloudera’s Technical Assist Bulletins (TSB) and My Cloudera help circumstances.
What Cloudera merchandise and variations are affected?
A number of Cloudera merchandise and open supply initiatives use Log4j to course of log messages. The Cloudera help staff has supplied the checklist of impacted merchandise and variations to our Cloudera clients by means of an in depth TSB. If you’re not an current Cloudera buyer, please go right here.
What do Cloudera clients have to do to mitigate this CVE?
We encourage clients to evaluation the main points in our TSB and apply workarounds instantly. On the identical time, clients ought to plan to improve to soon-to-be-released variations of Cloudera software program that embrace fixes for this CVE.
It’s additionally vital to grasp that this vulnerability isn’t restricted to Cloudera merchandise. This vulnerability can have an effect on underlying infrastructure software program in addition to workloads clients run on high of Cloudera merchandise, corresponding to Spark jobs or Flink functions. We advocate that clients assess their whole surroundings for the usage of Log4j and remediate it as quickly as attainable.
Ought to clients watch for a brand new Cloudera launch or use advised remediation?
The state of affairs is important, and exploits and bypasses are starting to propagate on the web. Except your surroundings is absolutely protected with compensating controls, we advocate that clients instantly handle the state of affairs with the proposed remediation and plan to improve to imminent software program releases.
Please create a help case by means of My Cloudera for any additional questions or clarifications.
[ad_2]
