CVE-2021-44228 remediation for CDP Private Cloud Data Services 1.3.3
CDP Private Cloud Data Services 1.3.3 contains mitigation for the Apache Log4j vulnerability tracked at CVE-2021-44228. The mitigation is achieved either by upgrading the embedded Log4j version to 2.16 or by removing the affected classes.
Dependencies
CDP Private Cloud Data Services 1.3.3 requires that you upgrade Cloudera Manager (CM) to version 7.5.4-20668437 which contains the mitigation for the Log4j vulnerability.
Remediation for Management Console
CVE-2021-44228 has been addressed in the Management Console on CDP Private Cloud Data Services 1.3.3 by upgrading Apache Log4j 2 to version 2.16.
Remediation for Cloudera Machine Learning (CML)
The CML engine image
engine:15-cml-2021.09-2 removes the
JndiLookup class from all Log4j versions in the engine image.
This update addresses the issue found in CVE-2021-44228. An inaccessible log4j2 jar
is also present in /root but the jar file is not reachable by CML
sessions. Therefore, the jar file does not pose a security threat.Remediation for Cloudera Data Engineering (CDE)
CVE-2021-44228 has been addressed in CDE on CDP Private Cloud Data Services 1.3.3 by
upgrading Apache Log4j 2 to version 2.16.
Remediation for Cloudera Data Warehousing (CDW)
CVE-2021-44228 has been addressed in CDW on CDP Private Cloud Data Services
1.3.3 by upgrading Apache Log4j 2 to version 2.16.
