Question

StreamSets/ Data Collector in 3.22 version - log4j vulnerability

  • 27 June 2022
  • 8 replies
  • 133 views

Hello everyone!

This is Nicolas and I am working as Big Data consultant. 

We currently have StreamSets/ DC in 3.22 version installed through Cloudera Manager.
During monthly vulnerability scans, report informed us that many files in StreamSets/DC paths are susceptible to the vulnerability of log4j. 
Example: STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-cdh_6_3-lib/lib/log4j-core-2.8.2.jar

I reviewed your StreamSets documentation, but I cannot find free parcel in version 4+ and above of SS/DC. In your repo also newer versions are not visible. 

Maybe new versions of parcels are available, but it is quite possible that I was looking in the wrong place.

Maybe someone knows the solution to a given problem? 
Basically the goal is to fix the vulnerabilities existing in these paths, the SS/DC version is not the most important.

Thanks! :)
Nicolas


8 replies

Userlevel 3
Badge

Hi Nicolas,

Data Collector 4.0.0 and later are no longer released under an open source license. If you have an enterprise subscription with StreamSets, please contact support for instructions on downloading binaries.

Hi Nicolas,

Data Collector 4.0.0 and later are no longer released under an open source license. If you have an enterprise subscription with StreamSets, please contact support for instructions on downloading binaries.

Hello Dima,

Do you know any way to fix log4j vulnerabilities in 3.22 version?

Userlevel 3
Badge

Community users should move over to the free version of the DataOps Platform and a more recent release of StreamSets Data Collector where this (and hundreds of other issues) are resolved.

Hello again,

I performed the steps described in accordance with the information found (https://community.streamsets.com/technical-service-bulletin-69/technical-service-bulletin-2021-12-14-update-on-apache-log4j-zero-day-vulnerability-assessment-and- remediation-cve-2021-44228-339.),
How to fix the vulnerabilities related to log4j logging:
-----------------------------------------------------------------------------

Workaround: Yes
Applying the following workarounds will ensure that your StreamSets environments are not vulnerable to the log4j zero-day vulnerability:
StreamSets Data Collector:
For each affected stage library that you are using, locate it in $SDC_HOME/streamsets-libs/<stage library name>/lib/
Execute: zip -d log4j-core - *. Jar org / apache / logging / log4j / core / lookup / JndiLookup.class | grep deleting
-----------------------------------------------------------------------------

From: https://community.streamsets.com/technical-service-bulletin-69/technical-service-bulletin-2021-12-14-update-on-apache-log4j-zero-day-vulnerability-assessment-and- remediation-cve-2021-44228-339.

I have executed the required command in all lib of StreamSets paths, but vulnerability scan still still returns these paths as vulnerable, are they actually fixed? Best Regards.
Thank you in advance.

Nicolas

Userlevel 3
Badge

Hi Nicolas,

 

What exactly is your scan reporting?

Apache Log4j Unsupported Version Detection

Example: 
<plugin_output>
  Path              : /our_paths/STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-rabbitmq-lib/lib/log4j-1.2.17.jar
  Installed version : 1.2.17

  Path              : /our_paths/STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-orchestrator-lib/lib/log4j-1.2.17.jar
  Installed version : 1.2.17

  Path              : /our_paths/STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-mysql-binlog-lib/lib/log4j-1.2.17.jar
  Installed version : 1.2.17

  Path              : /our_paths/STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-jms-lib/lib/log4j-1.2.17.jar
  Installed version : 1.2.17

  Path              : /our_paths/STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-jdbc-sap-hana-lib/lib/log4j-1.2.17.jar
  Installed version : 1.2.17

  Path              : /our_paths/STREAMSETS_DATACOLLECTOR-3.22.3/streamsets-libs/streamsets-datacollector-jdbc-lib/lib/log4j-1.2.17.jar
  Installed version : 1.2.17

Plugin Ref: https://www.tenable.com/plugins/nessus/156032

Description: "According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities."

Synopsis: A logging library running on the remote host is no longer supported.


For my part, I can confirm that I have followed the steps described in the workaround: 
https://community.streamsets.com/technical-service-bulletin-69/technical-service-bulletin-2021-12-14-update-on-apache-log4j-zero-day-vulnerability-assessment-and- remediation-cve-2021-44228-339.
On libs in the all lib paths for StreamSets.


Best Regards,
Nicolas

Userlevel 3
Badge

Nicolas,

The TSB you linked to addresses the Log4Shell vulnerability that affects Log4j 2.x. As I mentioned, many other changes have gone into Data Collector since then. Among those is a move to newer versions of Log4j (your scan is picking up on the use of Log4j 1.x). You'd need to upgrade to take advantage of this new work.

Hello,

Okay thank you for explanation :).

Reply