TPS-2021-003 Triton and Manta not vulnerable to CVE-2021-44228, CVE-2021-4104 (log4j)
Overview
As has been widely reported, log4j (a Java logging library) is vulnerable
to remote code execution. See
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.
Triton and Manta use zookeeper for state management of Manatee, and for
service component registration in the binder or nameservice component.
While our version of zookeeper does include log4j, we use version 1.2.15
which is not vulnerable to CVE-2021-44228 according to the Apache
advisory. Additionally, CVE-2021-4104 covers usage of log4j when using
JMSAppender. We do not use JMSAppender, and are thus not vulnerable there
either.
Zookeeper is the only component of Triton and Manta that is written in Java.
Actions taken by Joyent
We have written this advisory to help better understand usage of Java, and log4j in the Triton and Manta products.
Actions You Need to Take
There are no actions you need to take since Triton and Manta are not vulnerable.
Support
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.