Apache Log4j CVE Updates (2021, 2022)

Update 7 on Apache Log4j2 CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105

Published: 2/17/2022, Last Updated: 2/17/2022 11:24 AM EST

AnzoGraph Version 2.4.1 and 2.5.1 images and installers have been published. These artifacts include a new GDI, gdi*.jar, that upgrades the Log4j library to version 2.17.1 and fully resolves CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

Update 6 on Apache Log4j2 CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105

Published: 12/23/2021, Last Updated: 12/23/2021 1:18 PM EST

AnzoGraph Version 2.3.2, 2.3.3, and 2.4.0 images have been republished to Docker Hub and the Red Hat Marketplace for Docker and Kubernetes users. These images include a new GDI, gdi*.jar, that upgrades the Log4j library to version 2.17 and resolves CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

Update on Apache Log4j2 CVE-2021-45105

Published: 12/20/2021, Last Updated: 12/20/2021

Cambridge Semantics continues to closely monitor activities related to the resolution of CVE-2021-44228 in the Apache Log4j2 Java library, Log4Shell.

On Friday, 12/17/2021, Apache released Log4j 2.17.0 to address CVE-2021-45105, a vulnerability that affects applications whose logging configuration uses a non-default Pattern Layout with a Context Lookup. Initial investigations show that Cambridge Semantics' products by default are not configured to use non-default Pattern Layouts with Log4j and should not be affected by CVE-2021-45105. We are continuing to review all of our artifacts to determine whether an additional update of the Log4j2 library is required.

Update 5 on Apache Log4j2 CVE-2021-44228 and Related CVE-2021-45046

Published: 12/17/2021, Last Updated: 12/17/2021

Cambridge Semantics has the following updates regarding our active response to the reported Common Vulnerabilities and Exposures (CVE) in the Apache Log4j 2 Java library, Log4Shell (CVE-2021-44228), and the related CVE, CVE-2021-45046.

For users who deploy AnzoGraph with Docker or Kubernetes, Cambridge Semantics has now published patched AnzoGraph images of 2.3.2, 2.3.3, and 2.4.0 to the Red Hat Marketplace.
For users with AnzoGraph 2.2.0, 2.2.1, and 2.2.2 who installed the Graph Data Interface (GDI) (previously called the Data Toolkit) as an add-on to their static AnzoGraph installation, Cambridge Semantics has released an updated standalone GDI jar file. The Log4j dependency was upgraded to version 2.16. The updated jar file will be distributed by a technical point of contact from Cambridge Semantics. Note that the name of the jar file has changed from datatoolkit*.jar to gdi*.jar. Once you receive the file, follow the steps below to perform an in-place replacement of the existing jar file.
1. First, back up the existing datatoolkit*.jar file by copying it from the <install_path>/lib/udx directory to a safe location on your file system.
2. Then, delete the datatoolkit*.jar file from the <install_path>/lib/udx directory.
3. Place the new, updated gdi*.jar file in the <install_path>/lib/udx directory.
4. Restart AnzoGraph.

Update 4 on Apache Log4j2 CVE-2021-44228 and Related CVE-2021-45046

Published: 12/16/2021, Last Updated: 12/16/2021

For users who deploy AnzoGraph with Docker or Kubernetes, Cambridge Semantics has published patched AnzoGraph images of 2.3.0, 2.3.2, 2.3.3, and 2.4.0 to Dockerhub. These images include an updated Graph Data Interface (GDI) that upgrades the Log4j dependency to version 2.16. The AnzoGraph front end has also been updated to use Log4j version 2.16.
For users who installed the GDI as an add-on to their static AnzoGraph installation, Cambridge Semantics has released an updated standalone GDI jar file. The Log4j dependency was upgraded to version 2.16. The updated GDI jar file will be distributed by a technical point of contact from Cambridge Semantics. Once you receive the file, follow the steps below to perform an in-place replacement of the existing GDI:
1. First, back up the existing gdi*.jar file by copying it from the <install_path>/lib/udx directory to a safe location on your file system.
2. Then, delete the gdi*.jar file from the <install_path>/lib/udx directory.
3. Place the new, updated gdi*.jar file in the <install_path>/lib/udx directory.
4. Restart AnzoGraph.
According to the Apache Log4j2 CVE announcement from Elastic, Elasticsearch version 7.8+ with JDK 9+ mitigates the risk. For static Elasticsearch installations, refer to your internal IT organization for guidance. Elasticsearch client libraries within Anzo are not affected. K8s-based Elasticsearch deployments use JDK 13+.

Update on Apache Log4j1 CVE-2021-4104

Published: 12/15/2021, Last Updated: 12/15/2021

The newly identified Log4j 1.2 JMSAppender vulnerability (CVE-2021-4104) does not affect Livy and Spark usage within Anzo. Though Log4j 1.2 is a dependency of Livy and Spark, JMSAppender is not used.

Update 3 on Apache Log4j2 CVE-2021-44228 and Related CVE-2021-45046

Published: 12/14/2021, Last Updated: 12/14/2021

Cambridge Semantics is continuing to track the latest updates to this quickly evolving situation. Due to the publication of CVE-2021-45046, it has become clear that Log4j 2.15, which Apache released as a patch to address the original CVE (CVE-2021-44228), does not resolve all vulnerabilities. Apache has now released Log4j 2.16 to address CVE-2021-45046. Cambridge Semantics is actively working to produce new artifacts with this latest update, including the artifacts we released earlier today that include Log4j 2.15 (see Update 2 on Apache Log4j2 CVE-2021-44228).

If you have not used our latest published artifacts referenced in Update 2 on Apache Log4j2 CVE-2021-44228, Cambridge Semantics recommends you hold off on doing so and wait for further updates announcing a newly published set of artifacts with the latest updates. The immediate, in-place mitigations listed in our initial update are still viable and effective at preventing risk exposure (see Immediate Mitigation).

If you have used our latest published artifacts referenced in Update 2 on Apache Log4j2 CVE-2021-44228, you may still face some risk exposure. Consider performing the immediate, in-place mitigations in Immediate Mitigation below. Cambridge Semantics recommends that you update to the newer set of artifacts once they are published.

Update 2 on Apache Log4j2 CVE-2021-44228

Published: 12/14/2021, Last Updated: 12/14/2021

Cambridge Semantics has some notable updates regarding our active response to the reported Common Vulnerabilities and Exposures (CVE) in the Apache Log4j 2 Java library, Log4Shell (CVE-2021-44228):

For users who deploy 2.4.0 or 2.3.3 Versions of AnzoGraph with Docker or Kubernetes, Cambridge Semantics has pushed patched AnzoGraph images of 2.4.0 and 2.3.3 releases to Dockerhub and Red Hat Marketplace. These images resolve the Log4j vulnerability.
For users who installed the Graph Data Interface (GDI) as an add-on to their static AnzoGraph installation, Cambridge Semantics has released an updated GDI jar file. The Log4j dependency was upgraded to version 2.15, and we are confident that the patched jar mitigates the vulnerability. Cambridge Semantics has also not noticed any significant regressions in GDI functionality during extensive QA performed internally.
The updated GDI jar file will be distributed by a technical point of contact from Cambridge Semantics. Once you receive the file, follow the steps below to perform an in-place replacement of the existing GDI:
1. First, back up the existing gdi*.jar file by copying it from the <install_path>/lib/udx directory to a safe location on your file system.
2. Then, delete the gdi*.jar file from the <install_path>/lib/udx directory.
3. Place the new, updated gdi*.jar file in the <install_path>/lib/udx directory.
4. Restart AnzoGraph.

Update 1 on Apache Log4j2 CVE-2021-44228

Published: 12/13/2021, Last Updated: 12/14/2021

Cambridge Semantics is actively responding to the reported Common Vulnerabilities and Exposures (CVE) in the Apache Log4j 2 Java library, Log4Shell (CVE-2021-44228).

We have reviewed our products and found that the following components are affected:

Anzo (i.e. the Anzo application server) is not affected by the vulnerability.
Running a CVE scan may log a vulnerability due to the inclusion of the log4j-api dependency in the SDI dependency jars which are used in Anzo’s generated and compiled ETL ingestion jobs. This is not indicative of a problem. These jars do not include the log4j-core dependency, which contains the offending class (2.7).
The AnzoGraph front end user interface and installer use a vulnerable version of log4j (2.14.1).
Anzo users of AnzoGraph typically do not install the AnzoGraph front end.
The Graph Data Interface (GDI) is exposed due to a transient dependency in the ElasticSearch component (2.11.1).
Anzo Distributed Unstructured Version 5.3.x is also exposed because of its use of the GDI.
Livy uses an unaffected version of Log4j.
Spark uses an unaffected version of Log4j.

Immediate Mitigation

To immediately mitigate your exposure to the CVE in the GDI, Cambridge Semantics recommends that you take one of the following actions, depending on whether you use the GDI and whether you employ static AnzoGraph clusters or dynamic K8s-based clusters:

If you have a static cluster and are not using the GDI functionality, you can remove the jar file from the AnzoGraph servers (<install_path>/lib/udx/gdi*.jar) and restart AnzoGraph.
If you have a static cluster and are using the GDI functionality, you can repackage the jar file to remove the offending class (JndiLookup.class):
1. First, back up the existing GDI jar by copying it to a safe location on your file system.
2. Then run the following command to remove the class:
```
zip -q -d <path_to_gdi_jar> org/apache/logging/log4j/core/lookup/JndiLookup.class
```
3. To confirm that the class is removed, you can run the following command. If nothing is returned, the class was successfully deleted.
```
zip -Tv <path_to_gdi_jar> | grep JndiLookup.class
```
4. Restart AnzoGraph after running the command.
If you use K8s-based dynamic AnzoGraph clusters, you can disable the use of Java-based extensions like the GDI by importing the following TriG file contents to Anzo. These statements configure the AnzoGraph operator to set the system configuration setting jvm_enabled to false when new clusters are provisioned.
Existing clusters will not be updated. Deprovision any existing AnzoGraph clusters and recreate them after importing the TriG file.
```
@prefix : <http://cambridgesemantics.com/ontologies/CloudDeployment#> .
@prefix anzograph: <http://cambridgesemantics.com/ontologies/CloudDeployment/AZGOperator/> .

#Mode:REPLACE
:anzographSettings {
    :anzographSettings anzograph:settings """jvm_enabled=false""" .
}
```

To immediately mitigate your exposure to the CVE in the AnzoGraph front end, remove any containers that include the front end and redeploy them once updated images are available.

To immediately mitigate your exposure to the CVE in Anzo Distributed Unstructured 5.3.x, stop all leader and worker unstructured processes and do not execute any unstructured pipelines until you have installed the patched version of the software (see Medium-Term Mitigation below).

Medium-Term Mitigation

Cambridge Semantics is in the process of updating and generating new artifacts for all affected components:

The affected installers for AnzoGraph will be updated to use Log4j version 2.15 and be redistributed.
Affected versions of the AnzoGraph front end image will be updated to use Log4j version 2.15 and be redistributed.
The GDI will be updated to use Log4j version 2.15, and the jar file will be redistributed for users who installed the GDI as an add-on to their base AnzoGraph installation.
AnzoGraph Docker images (which include the GDI) will be updated and redistributed for Kubernetes and Docker users.
5.3.x versions of Anzo Distributed Unstructured will be updated to use Log4j version 2.15 and be redistributed.