CVE-2021-44228 remediation for CDP Private Cloud Data Services 1.4.0

CDP Private Cloud Data Services 1.4.0 contains mitigation for the Apache Log4j vulnerability tracked at CVE-2021-44228. The mitigation is achieved either by upgrading the embedded Log4j version to 2.17.1 or by removing the affected classes.

Dependencies

CDP Private Cloud Data Services 1.4.0 requires that you upgrade Cloudera Manager (CM) to version 7.5.5 which contains the mitigation for the Log4j vulnerability.

Remediation for Management Console

CVE-2021-44228 has been addressed in the Management Console on CDP Private Cloud Data Services 1.4.0 by upgrading Apache Log4j 2 to version 2.17.1

Remediation for Cloudera Machine Learning (CML)

The CML engine image engine:15-cml-2021.09-2 removes the JndiLookup class from all Log4j versions in the engine image. This update addresses the issue found in CVE-2021-44228. An inaccessible log4j2 jar is also present in /root but the jar file is not reachable by CML sessions. Therefore, the jar file does not pose a security threat.

Remediation for Cloudera Data Engineering (CDE)

CVE-2021-44228 has been addressed in CDE on CDP Private Cloud Data Services 1.4.0 by upgrading Apache Log4j 2 to version 2.17.1.

Remediation for Cloudera Data Warehousing (CDW)

CVE-2021-44228 has been addressed in CDW on CDP Private Cloud Data Services 1.4.0 by upgrading Apache Log4j 2 to version 2.17.1.