What you need to know:
Mitigation:
If the ScaleOut Java APIs are not in use by your application and you wish to avoid having the LOG4J vulnerability flagged by a security scan, you can remove the vulnerable JARs from the installation directory. On Windows, you can run the installer to modify the installation and remove the Java libraries. On Linux, you can delete the JARs.
ScaleOut published a hotfix release (version 5.10.16.372) that uses LOG4J 2.17.1. This maintenance release is available on our website's Support Downloads page.
For previous ScaleOut versions >= 5.8.15.345, the ScaleOut Java APIs use LOG4J2.11.2. If you're using ScaleOut's Java APIs then you can address the vulnerability in LOG4J by following the mitigation steps from LOG4J. Below are the mitigation steps from the LOG4J security patch:
On December 9th 2021, a vulnerability in the Apache LOG4J libraries was reported by Chen Zhaojun of the Alibaba Cloud Security Team.
On December 10th 2021, the National Institute of Standards and Technology (NIST) published an article on the vulnerability in the National Vulnerability Database (NVD). The NVD contains a Common Vulnerabilities and Exposures (CVE) entry called CVE-2021-44228 which details the LOG4J vulnerability and mitigation. The CVE contains information from the LOG4J team describing the issue, mitigation, and fix.
On December 14th 2021, ScaleOut published a hotfix release that upgrades the ScaleOut Java API libraries dependency on LOG4J-core and LOG4J-API from version 2.11.2 to version 2.15.0 to address CVE-2021-44228.
On December 14th 2021, a new vulnerability vector was discovered and CVE-2021-45046 was created. Additionally, the original mitigation step of setting system property "log4j2.formatMsgNoLookups" to "true" was invalidated. The only known mitigation steps are 1) upgrade to 2.16.0 or 2) remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
On December 15th 2021, ScaleOut published a hotfix release that upgrades the ScaleOut Java API libraries dependency on LOG4J-core and LOG4J-API from version 2.15.0 to version 2.16.0 to address CVE-2021-45046.
On December 16th 2021, ScaleOut updated the AWS Marketplace, DockerHub, and the RedHat Container Catalogue offerings with version 5.10.15.371.
On January 27th 2022, ScaleOut published version 5.10.16.372 which updates the ScaleOut Java API libraries dependency on LOG4j-core and LOG4J-API from version 2.16.0 to version 2.17.1.
- If you are not using the ScaleOut Java API libraries then LOG4J is not used, and this vulnerability will not affect your system.
- ScaleOut Java APIs do not log untrusted user input.
- Apache LOG4J libraries version 2.0-beta9 to 2.14.1 contain a severe vulnerability.
- Apache LOG4J versions 2.15.0, 2.16.0, and 2.17.0 contain a low vulnerability.
- Apache LOG4J has mitigation steps, available here.
- Apache LOG4J has a new release for Java 8+ customers (version 2.17.1), available on Maven.
- Apache LOG4J has a new release for Java 7 customers (version 2.12.4), available on Maven.
- ScaleOut published a new version (5.10.16.372) which uses LOG4J version 2.17.1, which is available on our website.
Mitigation:
If the ScaleOut Java APIs are not in use by your application and you wish to avoid having the LOG4J vulnerability flagged by a security scan, you can remove the vulnerable JARs from the installation directory. On Windows, you can run the installer to modify the installation and remove the Java libraries. On Linux, you can delete the JARs.
ScaleOut published a hotfix release (version 5.10.16.372) that uses LOG4J 2.17.1. This maintenance release is available on our website's Support Downloads page.
For previous ScaleOut versions >= 5.8.15.345, the ScaleOut Java APIs use LOG4J2.11.2. If you're using ScaleOut's Java APIs then you can address the vulnerability in LOG4J by following the mitigation steps from LOG4J. Below are the mitigation steps from the LOG4J security patch:
- Java 8 (or later) users should upgrade to release 2.17.1.
- Users requiring Java 7 should upgrade to release 2.12.4.
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
On December 9th 2021, a vulnerability in the Apache LOG4J libraries was reported by Chen Zhaojun of the Alibaba Cloud Security Team.
On December 10th 2021, the National Institute of Standards and Technology (NIST) published an article on the vulnerability in the National Vulnerability Database (NVD). The NVD contains a Common Vulnerabilities and Exposures (CVE) entry called CVE-2021-44228 which details the LOG4J vulnerability and mitigation. The CVE contains information from the LOG4J team describing the issue, mitigation, and fix.
On December 14th 2021, ScaleOut published a hotfix release that upgrades the ScaleOut Java API libraries dependency on LOG4J-core and LOG4J-API from version 2.11.2 to version 2.15.0 to address CVE-2021-44228.
On December 14th 2021, a new vulnerability vector was discovered and CVE-2021-45046 was created. Additionally, the original mitigation step of setting system property "log4j2.formatMsgNoLookups" to "true" was invalidated. The only known mitigation steps are 1) upgrade to 2.16.0 or 2) remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
On December 15th 2021, ScaleOut published a hotfix release that upgrades the ScaleOut Java API libraries dependency on LOG4J-core and LOG4J-API from version 2.15.0 to version 2.16.0 to address CVE-2021-45046.
On December 16th 2021, ScaleOut updated the AWS Marketplace, DockerHub, and the RedHat Container Catalogue offerings with version 5.10.15.371.
On January 27th 2022, ScaleOut published version 5.10.16.372 which updates the ScaleOut Java API libraries dependency on LOG4j-core and LOG4J-API from version 2.16.0 to version 2.17.1.
Last edited: