CVE-2021-44228: Log4Shell vulnerability and Aerospike

On December 9th 2021, a high severity vulnerability in Log4j 2 was published as CVE-2021-44228, AKA Log4Shell. Any JVM-based project using log4j-core with a version < 2.17.0 is affected. See this Cloudflare blog post for a detailed explanation, and Apache Log4j Security Vulnerabilities.

Obviously, Aerospike Database is written in C, and not vulnerable to a Log4Shell exploit. We have completed an assessment of the exposure our tools and connectors might have:

  • The Aerospike REST client is a Spring Boot application, is patched with the newly released log4j-core 2.17.0. Users of this server should upgrade immediately to the latest appropriate release - 1.6.5, 1.7.2, 1.8.2, 1.9.2 and 1.10.4 . The Spring project has a December 23rd estimate for a full fix.
  • The Aerospike Loader is a command-line tool, which does not run as a daemon. It has minimal potential exposure. Version 2.4.3 has been released. Aerospike Loader was removed from tools 6.2.0.
  • The Java client’s logging is callback-based and does not use a logging library directly.
  • Skyhook uses the Logback framework, which is not vulnerable.
  • Similarly, our streaming connectors for Kafka, Pulsar, JMS, Event Stream Processing (ESP), and the XDR Proxy use Logback, which is not vulnerable.
  • Our Trino (Presto) connector does not use log4j-core.
  • Our Spark connector doesn’t bundle its own logger. It uses the logging mechanism of Spark. Spark users should stay tuned to information from Apache Spark and Databricks.
  • The Spring Data project depends on log4j-api, but not the vulnerable log4j-core (the default logger for Spring Boot projects is not log4j 2). As soon as a fix is published, we will update the Spring dependencies of aerospike-community/spring-data-aerospike. Meanwhile, see the Spring Boot announcement mentioned above.
  • ACMS does not use log4j components and all customer environments managed by Aerospike are unaffected by this CVE.
Project Affected? Note
REST gateway Yes Multiple releases with log4j-core 2.17.0 have been posted. This is a Spring Boot based, and that project has an estimate of approx. Dec 23, 2021 for the full fix.
asloader Yes A command line tool, not running as a daemon, so low probability of being exploited. Has been fixed in release 2.4.3. Tools 6.2.0 removed asloader.
Java Client No Does not use any logging library.
Trino connector No Does not use log4j-core.
Spark connector No* The connector does not bundle log4j. Users of Spark will have to pay attention to updates from Databricks / Apache Spark.
XDR Proxy No Uses logback. No dependency on log4j
Kafka Inbound connector No No dependency. Kafka itself may use log4j.
Kafka Outbound connector No Uses logback. No dependency on log4j
Pulsar Inbound connector No No dependency. Pulsar itself may use log4j.
Pulsar Outbound connector No Uses logback. No dependency on log4j
JMS Inbound connector No No dependency.
JMS Outbound connector No Uses logback. No dependency on log4j
ESP Outbound connector No Uses logback. No dependency on log4j
Skyhook No Uses logback
Spring Data Aerospike No* The Spring Data project depends on log4j-api, but not log4j-core. The default logger for Spring projects isn’t log4j. No action is required on our side. We’ll bump the Spring dependencies, once they’re released.
aerospike-helper Yes Archived project (read-only). Stale since 2018, not used by Aerospike projects.
3 Likes

Update on 2021-12-14: Aerospike Loader release 2.4.1 is out now.

Alright! Apparently we’re not out of the storm yet. Apache Log4j released a new fix in log4j-core 2.16.0, as the 2.15.0 fix didn’t close the exploit (See CVE-2021-45046). We will follow shortly with releases of the affected projects (REST client, asloader).

New releases of REST and asloader with log4j-core 2.16.0 have been posted. The announcement has been updated accordingly.

Log4j keeps on giving. We’ve seen the announcement on CVE-2021-45105 and will start working on new releases with log4j-core 2.17.0.

REST client releases 1.6.5, 1.7.2, 1.8.2, 1.9.2 and 1.10.4 with log4j-core 2.17.0 have been posted.

Aerospike Loader release 2.4.3 uses log4j-core 2.17.0.

© 2021 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.