As has been widely reported,
log4j (a Java logging library) is vulnerable
to remote code execution. See
Triton and Manta use zookeeper for state management of Manatee, and for
service component registration in the
While our version of zookeeper does include
log4j, we use version
which is not vulnerable to CVE-2021-44228 according to the Apache
advisory. Additionally, CVE-2021-4104 covers usage of
log4j when using
JMSAppender. We do not use
JMSAppender, and are thus not vulnerable there
Zookeeper is the only component of Triton and Manta that is written in Java.
Actions taken by Joyent
We have written this advisory to help better understand usage of Java, and log4j in the Triton and Manta products.
Actions You Need to Take
There are no actions you need to take since Triton and Manta are not vulnerable.
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.