Technical Service Bulletin 2021-12-24 (TSB) - Data Collector 4.2.1 and bash script for remediation of CV-2021-44228

StreamSets has announced the release of StreamSets Data Collector version 4.2.1 which addresses CVE-2021-44228.

In addition, StreamSets has released a Bash script to replace the vulnerable Log4j libraries in Data Collector versions prior to 4.2.1. 

Description: 

StreamSets announced the release of StreamSets Data Collector version 4.2.1 which addresses CVE-2021-44228. In SDC 4.2.1, the vulnerable versions of Log4j have been replaced with Log4j 2.17.0 and a required system property has been added to the SDC_JAVA_OPTS environment variable by default. In the 4.2.1 version of SDC and in future versions, this eliminates the need for the workarounds in our Technical Service Bulletins (TSBs) which can be found here and here. 

For more details, you can review the SDC version 4.2.1 release notes here. 

For customers who cannot upgrade or require additional time to prepare the upgrade process, and therefore will be using SDC versions prior to 4.2.1, there are now two paths which will remediate the vulnerability.

The first path is to review and implement the workarounds from our previous TSBs. This process will keep the current instances of the vulnerable Log4j libraries, but will delete the class that can permit remote code execution (JndiLookup.class). This workaround is still a viable path, and was a solution offered by the Apache Log4j team.

The other path is to replace the vulnerable Log4j dependencies, which are found in various stage libraries, with Log4j 2.17.0. To facilitate this path, StreamSets has released a Bash script. This script, patch.sdc.sh can be downloaded from a public GitHub repo.

There are detailed instructions in the README file. 

Severity:  High 

Immediate action required: Yes

For your questions:

• Enterprise customers should contact support (support@streamsets.com) if there are any questions or to request information to download SDC 4.2.1.
• Free tier users - please reach out via our community platform https://community.streamsets.com/
• Professional tier users - please reach out to cloudsuccess@streamsets.com

References: 

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://logging.apache.org/log4j/2.x/security.html
• https://community.streamsets.com/technical-service-bulletin-69/technical-service-bulletin-2021-12-13-tsb-apache-log4j-zero-day-vulnerability-assessment-and-remediation-cve-2021-44228-328
• https://community.streamsets.com/technical-service-bulletin-69/technical-service-bulletin-2021-12-14-update-on-apache-log4j-zero-day-vulnerability-assessment-and-remediation-cve-2021-44228-339