Cloudera DataFlow fix for CVE-2021-44228
On December 17, 2021, Cloudera released Cloudera DataFlow (CDF) for Public Cloud version 1.0.3-h1-b6. It addresses 2 CVEs and other vulnerability concerns as listed below. Cloudera urges all customers to upgrade their DataFlow services to the latest version.
-
CVE-2021-44228 which affects Apache Log4j2 versions 2.0 through 2.14.1.
-
CVE-2021-45046 which affects Apache Log4j2 version 2.15.0
-
LOGBACK-1591 which affects logback versions <= 1.2.7
Upgrade to the latest DataFlow version
To upgrade your DataFlow service to the latest version, which includes fixes for the log4j2 security vulnerability and logback mitigation issues, follow these steps. These steps provide a comprehensive upgrade and are the recommended approach. After completing these steps, no additional action is required.
- Terminate running deployments.
- Disable DataFlow for an environment.
- Enable DataFlow for an environment.
- Recreate your deployments.
Result
You are upgraded to the latest version of the DataFlow service and all deployments are running the latest NiFi Runtime.
Upgrade DataFlow deployments to the latest NiFi Runtime
For customers with an enabled DataFlow service 1.0.2 - 1.0.3 who want to address log4j2 CVE mitigation only as an immediate action and not fully disable and recreate DataFlow service and deployments. For each running deployment:
- From the DataFlow Dashboard, click Manage Deployment.
- Select Change NiFi Version from the Actions drop-down.
- Select Latest Version (1.14.0.2.3.2.1-6) and click Apply.
Result
For each DataFlow Deployment, this upgrades the running NiFi cluster to a version of NiFi that includes log4j2 and logback vulnerability mitigation.
After completing these steps, Cloudera recommends that you do plan to upgrade to the latest version of your DataFlow service.