Technical Advisory CVE-2021-44228

On this page Carat arrow pointing down

Publication date: December 14, 2021


We have determined after careful review that no Cockroach Labs products or services are affected by the recent Apache Log4j vulnerability, CVE-2021-44228. Our products are primarily written and developed in Go and do not bundle or rely on any Java dependencies that contain a vulnerable version of Log4j.

In addition, after careful review of our internal infrastructure we have determined that no deployed configuration of Log4j is exploitable. We will continue to apply regular security patches to all infrastructure and services at our standard cadence.

Customers are strongly encouraged to apply security updates to any Java client applications that use the vulnerable Log4J component as soon as possible. More information about detecting and remediating the vulnerability can be found at the end of this advisory.


The recently disclosed remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library is currently under exploitation. Log4j is a Java library used by millions of websites, services, and applications to write log messages. A remote unauthenticated actor can exploit this vulnerability by sending a specially crafted request to gain full control of an affected system.

Mitigation and Remediation Guidance

Please reach out to the support team if you need more information or assistance.

Yes No
On this page

Yes No