Cloudera Data Engineering fix for CVE-2021-44228
On December 21, 2021, Cloudera released Cloudera Data Engineering (CDE) for Public Cloud version 1.13.0-h1-b1. It addresses the Log4j2 security vulnerabilities listed below. Cloudera urges all customers to upgrade their Data Engineering services to the latest version.
-
CVE-2021-44228 which affects Apache Log4j2 versions 2.0 through 2.14.1.
-
CVE-2021-45046 which affects Apache Log4j2 version 2.15.0
Upgrade to the latest Data Engineering version
To upgrade your Cloudera Data Engineering service to the latest
version, which addresses the log4j2 security
vulnerability, follow these steps. These steps provide a comprehensive
upgrade and are the recommended approach. To ensure compatibility with
the CDP environment, you must also upgrade the environment DataLake
to Runtime 7.2.11 or higher.
- For each existing virtual cluster, create a backup of the jobs and resources.
- Enable a new Cloudera Data Engineering service for each existing CDE service you have. Make sure to use the same settings as the existing service for each new corresponding service.
- Within each new Data Engineering service, create a new virtual cluster for each existing virtual cluster in the pre-existing service. Make sure to use the same settings as the existing virtual cluster for each new corresponding virtual cluster.
- After making sure that you have added CDE services and virtual clusters to match your existing deployment, restore the backup file for each pre-existing virtual cluster to the corresponding new virtual cluster.
Result
Your Cloudera Data Engineering service and all associated virtual clusters are upgraded to the latest version.
