CVE-2021-45105 & CVE-2021-44832 Remediation for 7.2.7

You can learn more about the CVE-2021-45105 & CVE-2021-44832 Remediation for 7.2.7.

On February 1, 2022, Cloudera released a hotfix to Public Cloud Runtime version 7.2.7. It addresses the CVE and other vulnerability concerns as listed below:

  • CVE-2021-45105 which affects Apache Log4j2 versions from 2.0-beta9 to 2.16.0, excluding 2.12.3

  • CVE-2021-44832 which affects Apache Log4j2 versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4

All new CDP environments with Data Lakes using Runtime 7.2.7 that are registered after this hotfix has been released include the vulnerability fix.

You should upgrade your CDP services running Runtime version 7.2.7 so that they include the hotfix. You can update your existing Data Lake and Data Hubs by performing a maintenance upgrade. You should first upgrade the Data Lake and then upgrade all the Data Hubs that are using the Data Lake. The maintenance upgrade is not supported for RAZ-enabled environments. Refer to Data Lake upgrade and Data Hub upgrade documentation.