TPS-2021-003 Triton and Manta not vulnerable to CVE-2021-44228, CVE-2021-4104 (log4j)

Overview

As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.

Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender. We do not use JMSAppender, and are thus not vulnerable there either.

Zookeeper is the only component of Triton and Manta that is written in Java.

Actions taken by Joyent

We have written this advisory to help better understand usage of Java, and log4j in the Triton and Manta products.

Actions You Need to Take

There are no actions you need to take since Triton and Manta are not vulnerable.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References