Druid upgrade to 0.22.1 for critical vulnerability CVE-2021-44228 in Apache Log4j

we are planning to upgrade Druid from 0.20.0 to 0.22.1 version with rolling upgrade. Please answer the below queries.

  1. Do we have version compatibility between 0.20.0 and 0.22.1 versions?
  2. Do i need to take any backup of the directories in druid components?
  3. Version upgrade, will it impact existing app flows?

Reposting here from ASF Slack:

You will find information on compatibility and functional changes in Release Notes:

Here are the links to the relevant Release Notes for all versions from where you are: I’ve linked to the “before you upgrade” notes if they exist.

And here are some other release notes just for fun way back to 0.9.

Information about rolling upgrades is in the documentation:

I also note there are conversations elsewhere regarding this Issue which you should take note of:

This was from Jihoon Son:

without this patch, the error above can cause log truncation when the service shuts down but there should be no serious harm afait

“App Flows” is a very broad term. Are you asking if Apache Druid will affect how Facebook renders the multiverse?! :smiley:

Also surfacing some other relevant information:

there are no plans to backport this into older versions of Apache Druid, if you are running an older version of Druid and can not update to 0.22.1 you should apply the mitigation measures listed in https://lists.apache.org/thread/r5pf1vf0758cv4pszcz61pbk34kw02y4 (or in my post: Log4jShell Vulnerability and Mitigation)

Want to also call out to Vad’s post:

This diagram from GovCert is SLICK

https://govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

This is the original announcement: