Technical Service Bulletin 2021-12-14 - Update on Apache Log4j Zero-day Vulnerability Assessment and Remediation (CVE-2021-44228)

StreamSets Support Team would like to provide further updates on the Apache Log4j zero-day vulnerability documented in CVE-2021-44228. This Technical Service Bulletin is an update to the information we provided yesterday and we strongly recommend all users follow this latest guidance.

Severity: High

Description:
StreamSets Support Team would like to inform you that we have conducted an internal assessment on the effect on our products of the Apache Log4j zero-day vulnerability documented in CVE-2021-44228 and would like to share the following information to mitigate its effects.

• StreamSets DataOps Platform: Not vulnerable
• StreamSets Control Hub Cloud: Not vulnerable
• StreamSets Control Hub on-prem: Versions 3.13.1 - 3.22.3 are not vulnerable
• StreamSets Transformer: Versions 3.12.0 - 4.1.0 are not vulnerable
• StreamSets Data Collector: Core Engine Versions 3.12.0 - 4.1.0 are not vulnerable, however certain connectors are:
  • ElasticSearch 5/6/7, CDH 7.1, HDP 2.6/3.1, CDH 6.0/6.1/6.2/6.3
  • To immediately remediate the vulnerability, please apply the jar alteration workaround described in the Workaround section below.
• Enterprise Stage Libraries:
  • Databricks Enterprise Library (version 1.2 and above) - The Databricks JDBC driver is vulnerable and known to be using log4j 2.x. StreamSets is waiting for Databricks to provide an assessment and update their JDBC driver if necessary, before StreamSets can provide a patch.
  • No other enterprise stage libraries are vulnerable.

NOTE: There are additional scenarios for which there are different remediation steps required:

• StreamSets cluster jobs (both SDC and Transformer): We highly encourage you to update your clusters to patch this log4j zero-day vulnerability.
• Custom stage libraries/resources: Users are responsible for validating custom-built libraries and resources to ensure they are not vulnerable.

NOTE: Yesterday we recommended setting the JVM flag to workaround this vulnerability. The Apache Log4j Project disclosed today that this workaround is only partially effective and does not completely protect against all attack vectors. As a result, StreamSets strongly advises all users to apply the new workaround mentioned below.
To be clear, there is no risk or ill-effect from maintaining in place the JVM flag workaround we provided in the previous Technical Service Bulletin.

Immediate action required:  Yes

Workaround: Yes
Applying the following workarounds will ensure that your StreamSets environments are not vulnerable to the log4j zero-day vulnerability:
StreamSets Data Collector:

• For each affected stage library that you are using, locate it in $SDC_HOME/streamsets-libs/<stage library name>/lib/
• Execute: zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class | grep deleting

StreamSets will release new versions of Data Collector, based on the latest generally-available release, with patched connectors as updated client libraries are available from upstream vendors.

StreamSets will continue to monitor for updates in upstream guidance around this vulnerability and will in turn, provide ongoing Technical Service Bulletin updates to ensure that you have the most up-to-date information.