Vulnerability found in 0.22.1 -> CVE-2021-45046

FDORADO · January 5, 2022, 3:39pm

Hello,

I have been doing some testing for log4j vulnerabilities and have found some issues in the most recent druid image released on dockerhub (0.22.1).

[!][ ] found in opt/druid/extensions/druid-influxdb-emitter/log4j-core-2.15.0.jar hash=419a8512895971b7b4f4f33e620d361254e5c9552b904b0474b09ddd4a6a220b version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5  
       └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar  
             └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash=  
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f (identified as version(s): 2.16.0, 2.14.0, 2.14.1, 2.15.0, 2.16.0, 2.14.1)
       └───────> found in opt/druid/extensions/druid-influxdb-emitter/log4j-core-2.15.0.jar  
             └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar hash=0ec0eebeac721747acfd5f7428c74def78b27f5139726b766e9085b0de5c21f3  
                   └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash= version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5  
[!][ ] found in opt/druid/lib/log4j-core-2.15.0.jar hash=419a8512895971b7b4f4f33e620d361254e5c9552b904b0474b09ddd4a6a220b version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5  
       └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar  
             └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash=  
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f (identified as version(s): 2.16.0, 2.14.0, 2.14.1, 2.15.0, 2.16.0, 2.14.1)
       └───────> found in opt/druid/lib/log4j-core-2.15.0.jar  
             └───────> found in 6e79c1279b62923f67767885c653ffdfb9fd0529ea88030102ad220d36c70de0/layer.tar hash=0ec0eebeac721747acfd5f7428c74def78b27f5139726b766e9085b0de5c21f3  
                   └───────> found in apache/druid:0.22.1 (sha256:15e2791da1e33251605bde4f67eb8b712928a8b336e0aa77a5b947d4e0d72899) hash= version=2.15.0 vulnerabilities=CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 max-score=7.5

I would like to know if there is any version that does not have these problems, or if there is any plan to upgrade log4j to version 2.17.

Ben_Krug · January 5, 2022, 6:22pm

My unofficial understanding is that the next release will use 2.17. (I don’t remember where I heard that, though, and I don’t know any timeline for the next release.)

Sergio_Ferragut · January 5, 2022, 9:06pm

Also consider that the druid-influxdb-emitter is a community extension, which are not included in the release cycles. It is up to the community to update it; usually done by the committer for each extension.