CVE-2021-44228 Security Vulnerability Announcement

[jmlorti]

The HPCC Systems team has been made aware of the Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial-of-service attack. More details can be found on the Apache Log4J 2 website: https://logging.apache.org/log4j/2.x/.

This announcement summarizes the currently known potential impacts to the HPCC Systems platform. At this point, our engineering and security teams have determined that impacts are limited to the HPCC4J, and the Spark-plugins. The base HPCC Systems Platform does not use or reference Log4j and is not directly affected by the CVE-2021-44228 vulnerability.

Our engineering and security teams continue to actively work on the analysis and any additional actions our users should perform will be updated in this forum post on an ongoing basis until the issue is resolved.

• The base HPCC Systems Platform does not use or reference Log4j and is not directly affected by the CVE-2021-44228 vulnerability
• Affected HPCC Systems add-ons referenced vulnerable versions of log4j:
  
  • HPCC4J/WsClient (affected versions: < 8.4.16, patched versions: 7.12.84-rc2, 8.0.56-rc2, 8.2.40-rc2, 8.4.18-rc2 )
  • Spark-HPCC (affected versions: < 8.4.16, patched versions: 7.12.84-rc2, 8.0.56-rc2, 8.2.40-rc2, 8.4.18-rc2)
  • Users are strongly encouraged to update to the latest point release.
• Helm chart provided by HPCC deploys Elastic Stack components which have been reported to be affected:
  
  • elastic4hpcclogs (affected chart versions: < 1.0.2, patched version: 1.2.0)
  • Chart version 1.2.0 targets Elastic v7.16.1
  • Elastic’s security announcement: https://discuss.elastic.co/t/apache-log ... -31/291476
  • Users are strongly encouraged to target elastic4hpcclogs 1.2.0