CVE 2021-44228 Remediation for Cloudera Enterprise 6.3.3 and 6.3.4

As mentioned in Cloudera Technical Service Bulletin 2021-545 (Critical vulnerability in log4j2 CVE-2021-44228), the Cloudera Enterprise 6.3.3 and 6.3.4 (Cloudera Distributed Hadoop (CDH) and Cloudera Manager (CM) are impacted by the recent Apache Log4j2 vulnerability. As per that bulletin:

The Apache Security team has released a security advisory for CVE-2021-44228 which affects Apache Log4j2. A malicious user could exploit this vulnerability to run arbitrary code as the user or service account running the affected software. Software products using log4j versions 2.0 through 2.14.1 are affected and log4j 1.x is not affected. Cloudera is making short-term workarounds available for affected software and is in the process of creating new releases containing fixes for this CVE.

Short Term Resolution

Remediation steps are outlined in the TSB-545 documentation.

Be aware that the following actions are pulling the vulnerable jar files back in action again:

  • Scaling up cluster (adding a host to Cloudera Manager or the cluster)

  • Redistributing the CDH parcels

  • Reinstalling the Cloudera Manager packages

Long Term Resolution - installation of patched version on CDH and Cloudera Manager

Please follow the following instructions for upgrading:

Please deactivate then remove the vulnerable parcels using this documentation. No action needed on the OS packages as they will be replaced during the upgrade procedure.

Patches are available for the following GA versions of Cloudera Enterprise

  • Cloudera Manager 6.3.3
  • Cloudera Manager 6.3.4
  • CDH 6.3.4
  • CDH 6.3.3