Apache log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Originally published at: Apache log4j Vulnerabilities CVE-2021-44228 and CVE-2021-45046 | InfluxData

InfluxData is aware of the Apache log4j (log4j) vulnerabilities CVE-2021-44228 and CVE-2021-45046. We employ rigorous security practices to safeguard our products and their dependencies as well as software used to deliver our cloud services. We want you to be aware that our software does NOT employ log4j, nor is it within our supply chain.

The scope of this statement covers all versions of our services and software including:

  • InfluxDB OSS
  • InfluxDB Enterprise
  • InfluxDB Cloud
  • Telegraf
  • Kapacitor
  • Chronograf

This also includes our official Docker images as well.

InfluxData uses software on backend systems that include log4j. These systems have been patched as of 10 December 2021 and remain isolated from our cloud services infrastructure.

If you have any additional questions or concerns, you may contact us at security@influxdata.com.

Thanks team, we use telegraf’s go module version: https://github.com/influxdata/telegraf/blob/v1.14.5 in our stack and we found the below hits when we searched for log4j in go mod cache folder ((~/go/pkg/mod) :

  • ~/go/pkg/mod/github.com/apache/thrift@v0.12.0/lib/java/test/log4j.properties
  • ~/go/pkg/mod/gopkg.in/olivere/elastic.v5@v5.0.70/etc/log4j2.properties

Per our assessment, it feels like the source code of these dependencies which are part of telegraf/go.mod at v1.14.5 · influxdata/telegraf · GitHub are getting downloaded into the go mod cache path (~/go/pkg/mod) but are not exercised at all in the go mod usage of telegraf as these are java code specific.

Please let us know if my understanding is correct on this. Let me know if you need more info.

We deleted those log4j files and could build and run telegraf binary without issues, so believe those are coming as part of src code and not needed at build and runtime per our assessment earlier.

Hope my understanding is correct here.