[druid-user] Apache Druid security advisory: critical vulnerability CVE-2021-44228 in Apache Log4j

Severity: critical

Description:

Apache Druid uses the Java logging library Apache Log4j, which has
recently been identified to have a critical vulnerability that could
lead to remote code execution (RCE). This vulnerability is triggered
when an attacker can control any part of a log message. Due to the
wide attack surface, it is critical that all Druid users patch or
mitigate this vulnerability as soon as possible.

The Log4j advisory is available at
NVD - CVE-2021-44228.

Affected versions:

Druid 0.22.0 and earlier are affected.

Mitigation:

We recommend that all users upgrade to Druid 0.22.1, which contains
Apache Log4j 2.15.0. This version of Log4j has a fix for the
vulnerability.

If you are unable to upgrade Druid at this time, we recommend
deploying a mitigation. Please refer to the Log4j announcement for
details on possible mitigations:
https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4.

Different Log4j versions have different mitigation options. Check the
"lib" directory of your Druid installation for the "log4j-core" jar to
see what version of Log4j you have. Recent versions of Druid use Log4j
2.8.2. Two possible mitigations for Log4j 2.8.2 are:

1) Specify "%m{nolookups}" in the PatternLayout configuration of your
log4j2.xml file. Druid installations may have multiple log4j2.xml
files; be sure to update all of them.

2) Remove the JndiLookup and JndiManager classes from the log4j-core jar.

These mitigations require a cluster restart to take effect.

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4