VERTICA SECURITY BULLETIN - A potential vulnerability has been identified: Apache log4j library used
SUPPORT COMMUNICATION - SECURITY BULLETIN
Potential Security Impact: remote code execution
A potential vulnerability has been identified: Apache log4j library used by Vertica Server.
The vulnerability could be exploited to allow remote code execution.
CVE References: CVE-2021-44228
Please reference https://forum.vertica.com/discussion/242515/vertica-potential-security-vulnerability-apache-log4j-cve-2021-45046#latest for latest updates.
SUPPORTED SOFTWARE VERSIONS (ONLY impacted versions are listed):
Vertica Server – all versions
CVSS Version 3.1 Metrics:
Reference V3.1 Vector V3.1 Base Score
CVE-2021-44228 N/A N/A
You can either apply the patch or perform the workaround.
Two components in the Vertica product contain a vulnerable log4j library, Management Console (MC) and Kafka. Both are being modified to use a patched version of log4j (log4j.2.15.0). All Vertica versions currently under Committed Support (10.0, 10.1, and 11.0) will be patched and hotfixes will be available very shortly.
The workaround below will mitigate the problem while you wait for the patch.
This workaround can be applied to the Vertica Management Console and Vertica Kafka components independent of the Vertica version.
On every server node, you need to update the Kafka scheduler.
zip -q -d /opt/vertica/packages/kafka/lib/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
On MC node, you need to fix the Kafka scheduler it wants to use:
zip -q -d /opt/vconsole/vendor/vertica/kafka/lib/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
And lastly, the MC itself uses log4j which is bundled into the webui.war file and unzipped by startup into /opt/vconsole/temp/*. So, you need to change the .jar inside the .war and also purge the temp space so it re-extracts.
mkdir /tmp/war cd /tmp/war cp /opt/vconsole/lib/webui.war . unzip -o webui.war zip -q -d WEB-INF/lib/log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class zip -r -u webui.war WEB-INF sudo /etc/init.d/vertica-consoled stop cp webui.war /opt/vconsole/lib/webui.war rm -rf /opt/vconsole/temp/* sudo /etc/init.d/vertica-consoled start
Vertica Accelerator (Vertica as a Service)
Vertica Accelerator is not impacted by this vulnerability.