You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Actually log4j 1.x has issue too. See CVE-2021-4104.
Anyway, log4j is only used for testing. So yes, if there's a vulnerability it could only be because a user deployed their own version of Log4j in an application or altered the clickhouse-jdbc build. Moreover, please pay attention that besides JNDI lookup, log4j also supports showing environment variables and system properties, which may expose sensitive information(e.g. user, password, and token etc.) in log unexpectedly.
I'll make sure log4j will be removed from both develop and master branches starting from 0.3.2.
Hi @zhicwu, your reply is greatly appreciated. We have mentioned this on the Altinity Blog in a writeup on CVE-2021-44228 and will continue to watch responses here. You can also email security at altinity.com if there are additional concerns you would like us to communicate.
Hi, we're checking for vulnerabilities in ClickHouse due to CVE-2021-44228 (Log4Shell log4j vulnerability). It affects log4j 2 versions <= 2.14.1.
So far as I can tell from analysis of the code, the following are true and there's no vulnerability.
mvn package
downloads log4j-1.2.17.jar, which does not contain affected code.Here's a grep of references to log4j in relevant pom.xml and github config files.
If there's a vulnerability it could only be because a user deployed their own version of Log4j in an application or altered the clickhouse-jdbc build.
Can someone confirm this reasoning?
The text was updated successfully, but these errors were encountered: