Is SingleStore impacted by the Log4j security issue?
As I am sure you are aware, on December 9th, a Critical Day 0 vulnerability was disclosed by Apache that affects Apache Log4j2 (CVE-2021-44228). As a valued SingleStore customer, we wanted to reassure you that this vulnerability does not affect SingleStore in any way & to provide you clarification about it.
What is the Apache Log 4j2 JNDI Vulnerability?
From the NIST National Vulnerability Database: “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
Does this affect SingleStore?
In short, no, this vulnerability does not affect SingleStore. The log4j library is a common library in the Java programming language, and SingleStore uses Java in only rare cases. SingleStore uses Apache Log 4j for HDFS Pipelines, a feature used for loading data from HDFS, and by using Replicate, a third-party tool used for transferring data from a wide variety of heterogeneous databases into SingleStore.
HDFS Pipelines - SingleStore uses a version of Log 4j, which is not exposed to the vulnerability, so this is not applicable. SingleStore uses version 1.2.17, which is not vulnerable to the exploit.
Blitzz Replicate - Replicate is not a SingleStore product; however, Blitzz has confirmed they use version 1.7, which is also not vulnerable to this exploit.