StreamSets Support Team would like to inform you that we have conducted an internal assessment on the effect on our products of the Apache Log4j zero-day vulnerability documented in CVE-2021-44228 and would like to share the following information to mitigate its effects.

Severity: High

Description: 

StreamSets Support Team would like to inform you that we have conducted an internal assessment on the effect on our products of the Apache Log4j zero-day vulnerability documented in CVE-2021-44228 and would like to share the following information to mitigate its effects.

• StreamSets DataOps Platform: Not vulnerable

• StreamSets Control Hub Cloud: Not vulnerable

• StreamSets Control Hub on-prem: Not vulnerable in 3.22 or newer

  • We are assessing older releases. StreamSets recommends upgrading to 3.22 to eliminate risk.

• StreamSets Transformer: Not vulnerable in 4.1.0

  • We are assessing older releases. StreamSets recommends upgrading to 4.1.0 to eliminate risk.

• StreamSets Data Collector: Core SDC is not vulnerable in 4.2.0, but some stages could be vulnerable:

  • ElasticSearch 5/6/7 - Apply JVM argument workaround described below

  • CDP 7.1 - Apply JVM argument workaround described below

  • HDP 3.1 - Apply JVM argument workaround described below

  • CDH 6.0/6.1/6.2/6.3 - StreamSets is waiting for Cloudera to patch their client libraries before StreamSets can provide a patch. Alternatively, upgrade to CDP 7.1 and apply the JVM argument workaround described below

  • Legacy stage libraries:

    • HDP 2.6 - StreamSets is waiting for Cloudera to patch their client libraries before StreamSets can provide a patch. Alternatively, upgrade to HDP 3.1 and apply the JVM argument workaround described below

  • We are assessing older releases. StreamSets recommends upgrading to 4.2.0 to eliminate the most possible risk.

• Enterprise Stage Libraries:

  • Databricks Enterprise Library (version 1.2 and above) - The Databricks JDBC driver is vulnerable and known to be using log4j 2.x. StreamSets is waiting for Databricks to provide an assessment and update their JDBC driver if necessary, before StreamSets can provide a patch.

  • No other enterprise stage libraries are vulnerable in their latest versions.

  • We are assessing older releases. StreamSets recommends upgrading to the latest versions to eliminate the most possible risk.

NOTE: There are  additional scenarios for which there are different remediation steps required:

• StreamSets cluster jobs (both SDC and Transformer): We highly encourage you to update your clusters to patch this log4j zero-day vulnerability.

• Custom stage libraries/resources: Users are responsible for validating custom-built libraries and resources to ensure they are not vulnerable.

Immediate action required:  Yes

Workaround: Yes

Applying the following workarounds will ensure that your StreamSets environments are not vulnerable to the log4j zero-day vulnerability:

• StreamSets Data Collector:

  • Add the following JVM property to the $SDC_JAVA_OPTS - this is found in the $SDC_CONF/libexec/sdc-env.sh or $SDC_CONF/libexec/sdcd-env.sh depending on the installation method.

    • For users of DataOps Platform, You can configure this in your Java Properties under Advanced Configuration in your Data Collector deployment. This will be handled automatically for you in a future release.

  • Add:  -Dlog4j2.formatMsgNoLookups=true

StreamSets Support will follow up as soon as possible with risk assessments for supported, older releases of our products (released within the last 24 months).

For your questions:

      Free users - please reach out via our community platform https://community.streamsets.com/ 

      Professional tier users - please reach out to cloudsuccess@streamsets.com

      Enterprise customers - please reach out to support@streamsets.com