On December 9th 2021, a high severity vulnerability in Log4j 2 was published as CVE-2021-44228, AKA Log4Shell. Any JVM-based project using log4j-core with a version <= 2.14.1 is affected. See this Cloudflare blog post for a detailed explanation.
New releases of REST and asloader with log4j-core 2.16.0 have been posted. The announcement has been updated accordingly.
Alright! Apparently we’re not out of the storm yet. Apache Log4j released a new fix in log4j-core 2.16.0, as the 2.15.0 fix didn’t close the exploit. We will follow shortly with releases of the affected projects (REST gateway, asloader).
--- Original Post---
Obviously, Aerospike Database is written in C, and not vulnerable to a Log4Shell exploit. We have completed an assessment of the exposure our tools and connectors might have:
- The Aerospike REST gateway is a Spring Boot application, and has been patched in release 1.10.2. Users of this server should upgrade it immediately to the latest release. The Spring project has a December 23rd estimate for a full fix. We will pull the updated dependencies when those are available.
- The Aerospike Loader is a command-line tool, which does not run as a daemon. It has minimal potential exposure. We will publish a new release in aerospike/aerospike-loader. Aerospike Loader was removed from tools 6.2.0.
- The Java client’s logging is callback-based and does use a logging library directly.
- Skyhook uses the Logback framework, which is not vulnerable.
- Similarly, our streaming connectors for Kafka, Pulsar, JMS, Event Stream Processing (ESP), and the XDR Proxy use Logback, which is not vulnerable.
- Our Trino (Presto) connector does not use log4j-core.
- Our Spark connector doesn’t bundle its own logger. It uses the logging mechanism of Spark. Spark users should stay tuned to information from Apache Spark and Databricks.
- The Spring Data project depends on log4j-api, but not the vulnerable log4j-core (the default logger for Spring Boot projects is not log4j 2). As soon as a fix is published, we will update the Spring dependencies of aerospike-community/spring-data-aerospike. Meanwhile, see the Spring Boot announcement mentioned above.
- ACMS does not use log4j components and all customer environments managed by Aerospike are unaffected by this CVE.
|REST gateway||Yes||Patched in a new release 1.10.2. Spring Boot based, and that project has an estimate of approx. Dec 23, 2021 for the full fix.|
|asloader||Yes||A command line tool, not running as a daemon, so low probability of being exploited (TOOLS-1888). Tools 6.2.0 removed asloader.|
|Java Client||No||Does not use any logging library.|
|Trino connector||No||Does not use log4j-core.|
|Spark connector||No*||The connector does not bundle log4j. Users of Spark will have to pay attention to updates from Databricks / Apache Spark.|
|XDR Proxy||No||Uses logback. No dependency on log4j|
|Kafka Inbound connector||No||No dependency. Kafka itself may use log4j.|
|Kafka Outbound connector||No||Uses logback. No dependency on log4j|
|Pulsar Inbound connector||No||No dependency. Pulsar itself may use log4j.|
|Pulsar Outbound connector||No||Uses logback. No dependency on log4j|
|JMS Inbound connector||No||No dependency.|
|JMS Outbound connector||No||Uses logback. No dependency on log4j|
|ESP Outbound connector||No||Uses logback. No dependency on log4j|
|Spring Data Aerospike||No*||The Spring Data project depends on log4j-api, but not log4j-core. The default logger for Spring projects isn’t log4j. No action is required on our side. We’ll bump the Spring dependencies, once they’re released.|
|aerospike-helper||Archived project (read-only). Stale since 2018, not used by Aerospike projects.|