Publication date: December 14, 2021
We have determined after careful review that no Cockroach Labs products or services are affected by the recent Apache Log4j vulnerability, CVE-2021-44228. Our products are primarily written and developed in Go and do not bundle or rely on any Java dependencies that contain a vulnerable version of Log4j.
In addition, after careful review of our internal infrastructure we have determined that no deployed configuration of Log4j is exploitable. We will continue to apply regular security patches to all infrastructure and services at our standard cadence.
Customers are strongly encouraged to apply security updates to any Java client applications that use the vulnerable Log4J component as soon as possible. More information about detecting and remediating the vulnerability can be found at the end of this advisory.
The recently disclosed remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library is currently under exploitation. Log4j is a Java library used by millions of websites, services, and applications to write log messages. A remote unauthenticated actor can exploit this vulnerability by sending a specially crafted request to gain full control of an affected system.
Mitigation and Remediation Guidance
- CISA - Apache Log4j Vulnerability Guidance
- Microsoft Security Blog - Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation
Please reach out to the support team if you need more information or assistance.