Hi Dojo,
We have a DMA running Cassandra but not Elastic. A vulnerability scanning tool is installed on the server and it detected a critical issue of Apache Log4j Unsupported Version Detection.
If DataMiner/Cassandra is not affected, then may I ask why is the Log4j present on the report in this case ? Thanks in advance.
Hi Arunkrishna,
The presence of Log4J does not necessarily mean the vulnerability is present, the vulnerability is present in versions 2.0 through 2.16. Log4J version 1.X does not contain the vulnerability. From the error it looks like an older version of Log4J is present, can you check which version?
The vulnerability is only present when the log4j-core-2.X.X.jar file exists in the Cassandra or Elasticsearch installation folders (other filenames may contain “log4j” but are not subject to Log4Shell).
We have contacted the Cassandra support team and they confirmed the vulnerability was not present.
CVE-2021-4104: Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
Cassandra is not configured to use the JMSAppender so this vulnerability is not exploitable. You can manually verify this by verifying JMSAppender is not used in the logback.xml & logback-tools.xml files located in C:Program FilesCassandraconf
I would not recommend updating Log4J. Instead, we should upgrade Cassandra itself, we will provide a guide for this.
Thank you, please let me know on how to proceed on this. 🙂
Hi Jens, we have this :
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104).
“Upgrade to Apache Log4j version 2.16.0 or later since 1.x is end of life.
Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest
versions.”
does this mean we need to upgrade Apache Log4j ?