Log4j vulnerability

allCag · December 13, 2021, 1:43pm

Hello,

we have a security alert regarding usage of log4j since a vulnerability has been identified (Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations) on 09/12/2021.
Looking at dremio-os v19 I found that the log4j versions used are concerned based on the LICENSES_FOR_DEPENDENCIES.md files :
|Apache Log4j API |2.13.3 |Apache 2.0 |
|Apache Log4j to SLF4J Adapter |2.13.3 |Apache 2.0 |

Can you confirm whether the log4j libraries used in Dremio are concerned ?
If so are you planning to release a fix or instructions to patch ourselves ?

Thanks & regards

HWiese1980 · December 13, 2021, 3:36pm

Yeah, same here. We’d be really happy about an official statement by Dremio about this!

asakmedops · December 13, 2021, 4:20pm

Same for us. We did a scan and we found that Dremio is vulnerable for log4shell. We took down our Dremio instance while waiting for Dremio Team confirmation or a fix

doron · December 13, 2021, 4:51pm

Hi,

Dremio is not affected by the vulnerability. Here is our security advisory.

Thanks!

Topic		Replies	Views
Security vulnerabilities on dremio/dremio-oss image	4	1822	December 17, 2021
Vulnerable 3rd party jars found in dremio 24.2.6	1	197	January 18, 2024
Dremio Crashing	7	2220	December 21, 2018
Multiple Critical Vulnerabilities in dremio-oss:23.1..0	2	964	June 26, 2023
Dremio-oss version question	3	873	May 7, 2021

Log4j vulnerability

Related Topics