Vulnerability found in 0.22.1 -> CVE-2021-45046

Hello,

I have been doing some testing for log4j vulnerabilities and have found some issues in the most recent druid image released on dockerhub (0.22.1).

[!][ ] found in opt/druid/extensions/druid-influxdb-emitter/log4j-core-2.15.0.jar hash=419a8512895971b7b4f4f33e620d361254e5c9552b904b0474b09ddd4a6a220b version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5  
       └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar  
             └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash=  
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f (identified as version(s): 2.16.0, 2.14.0, 2.14.1, 2.15.0, 2.16.0, 2.14.1)
       └───────> found in opt/druid/extensions/druid-influxdb-emitter/log4j-core-2.15.0.jar  
             └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar hash=0ec0eebeac721747acfd5f7428c74def78b27f5139726b766e9085b0de5c21f3  
                   └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash= version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5  
[!][ ] found in opt/druid/lib/log4j-core-2.15.0.jar hash=419a8512895971b7b4f4f33e620d361254e5c9552b904b0474b09ddd4a6a220b version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5  
       └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar  
             └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash=  
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f (identified as version(s): 2.16.0, 2.14.0, 2.14.1, 2.15.0, 2.16.0, 2.14.1)
       └───────> found in opt/druid/lib/log4j-core-2.15.0.jar  
             └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar hash=0ec0eebeac721747acfd5f7428c74def78b27f5139726b766e9085b0de5c21f3  
                   └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash= version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5

I would like to know if there is any version that does not have these problems, or if there is any plan to upgrade log4j to version 2.17.

My unofficial understanding is that the next release will use 2.17. (I don’t remember where I heard that, though, and I don’t know any timeline for the next release.)

Also consider that the druid-influxdb-emitter is a community extension, which are not included in the release cycles. It is up to the community to update it; usually done by the committer for each extension.

1 Like